NOTES TO CONDENSED CONSOLIDATED FINANCIAL STATEMENTS
(unaudited)
Note 1 – Description of Business
Rubrik, Inc. (“Rubrik” or the “Company”) is on a mission to secure the world’s data. Rubrik offers data security solutions to organizations ranging from the largest companies worldwide to mid-sized smaller customers. The Company was incorporated in December 2013 as ScaleData, Inc., a Delaware corporation, and changed its name to Rubrik, Inc. in October 2014. The Company is headquartered in Palo Alto, California.
Initial Public Offering
In April 2024, the Company completed its initial public offering ("IPO") in which it issued and sold 23,500,000 shares of its Class A common stock at the public offering price of $32.00 per share (the "IPO Price"). The Company received net proceeds of approximately $700.0 million after deducting underwriting discounts and commissions, as well as offering costs.
Immediately prior to the completion of the IPO, all 74,182,559 shares of the Company’s then-outstanding redeemable convertible preferred stock automatically converted into an equal number of shares of Class B common stock, and all 5,400,000 shares of the Company’s then-outstanding convertible founder stock automatically converted into an equal number of shares of Class B common stock.
Prior to the IPO, deferred offering costs, which consist of direct incremental legal, accounting, and other fees relating to the IPO, were capitalized in other assets, noncurrent on the condensed consolidated balance sheets. Upon the consummation of the IPO, $10.3 million of deferred offering costs, net of reimbursement received from the underwriters, were reclassified into stockholders’ equity as an offset against the IPO proceeds.
Prior to the IPO, the Company granted restricted stock units (“RSUs”) with both service-based and liquidity event-related performance-based vesting conditions ("IPO Vesting RSUs"). Upon the consummation of the IPO, the Company recognized stock-based compensation expense for those IPO Vesting RSUs that had met or partially met the service-based vesting condition as the performance-based vesting condition was satisfied. To meet the related tax withholding requirements related to these IPO Vesting RSUs, the Company withheld 12,859,902 shares of Class A common stock subject to the vesting of the IPO Vesting RSUs with a value of $411.5 million to remit to the relevant tax authorities in cash to satisfy such tax obligations as well as any income tax withholding obligations arising as a result of settlement of such shares.
In May 2024, the underwriters exercised their option to purchase an additional 3,472,252 shares of Class A common stock at the IPO Price of $32.00 per share. The Company received net proceeds of approximately $105.1 million after deducting underwriters’ discounts and commissions, as well as offering costs.
Note 2 – Basis of Presentation and Summary of Significant Accounting Policies
Fiscal Year
The Company's fiscal year ends on January 31. For example, references to fiscal 2025 and 2024 refer to the fiscal years ending January 31, 2025 and January 31, 2024, respectively.
Basis of Presentation and Principles of Consolidation
The accompanying unaudited condensed consolidated financial statements have been prepared in conformity with accounting principles generally accepted in the United States (“U.S. GAAP”) and applicable rules and regulations of the U.S. Securities and Exchange Commission (the "SEC") regarding interim financial reporting. The unaudited condensed consolidated financial statements and notes include the Company and its wholly-owned subsidiaries and reflect all adjustments that, in the opinion of management, are necessary for a fair presentation of the interim periods presented. All intercompany accounts and transactions have been eliminated in consolidation. The unaudited condensed consolidated financial statements do not include all disclosures normally required in annual consolidated financial statements prepared in accordance with U.S. GAAP. Therefore, these unaudited condensed consolidated financial statements should be read in conjunction with the audited consolidated financial statements and notes included in the Company’s final prospectus dated April 24, 2024 and filed with the SEC pursuant to Rule 424(b)(4) on April 26, 2024 ("Final Prospectus").
The preparation of condensed consolidated financial statements in conformity with U.S. GAAP requires management to make estimates and assumptions that affect the amounts reported in the condensed consolidated financial statements and accompanying notes. Such management estimates include, but are not limited to, the estimation of standalone selling prices for performance obligations, the estimates for material rights, the application of a portfolio approach for capitalization of deferred commissions, the determination of the period of benefit for deferred commissions, the determination of fair value of the Company’s common stock prior to the completion of the IPO, the valuation of stock-based awards, the valuation and assessment of recoverability of intangible assets and their estimated useful lives, the assessment of goodwill impairment, the incremental borrowing rate used to value operating lease liabilities, the valuation of deferred income tax assets and uncertain tax positions, and contingencies. Management evaluates these estimates and assumptions on an ongoing basis using historical experience and other factors and makes adjustments when facts and circumstances dictate. Actual results could differ materially from these estimates.
Revenue Recognition
The Company generates revenue primarily from the sale of subscriptions and typically invoices customers at the inception of the contract. The Company’s contracts with customers have a typical stated duration ranging from one to five years, with the majority of contracts having a stated duration of three years. The Company’s contracts with customers are generally non-cancelable and non-refundable. The Company primarily sells products and services to end users through distributors and resellers (“Channel Partners”). Channel Partners are the Company’s customers. The Company offers rebates to its Channel Partners calculated as a fixed percentage of the total selling price of a revenue contract. The Company accounts for rebates as consideration payable to a customer and records the amounts as a reduction to revenue.
The Company determines revenue recognition through the following steps:
•Identification of the contract, or contracts, with a customer;
•Identification of the performance obligations in the contract;
•Determination of the transaction price;
•Allocation of the transaction price to the performance obligations in the contract; and
•Recognition of revenue when, or as, the Company satisfies a performance obligation.
Payment terms of the Company’s contracts range from 30 days to 60 days after fulfillment or service commencement date, except for certain contracts, which are billed in installments over the contract term.
The Company determines its transaction price based on the expected amount it is entitled to receive in exchange for transferring promised products and services to the customer.
The Company’s contracts with customers can include multiple products and services. The Company determines performance obligations in a customer contract by assessing whether products and services are capable of being distinct and distinct in the context of the contract, including customer options that are determined to be material rights. The transaction price is allocated to the separate performance obligations based on the relative standalone selling price basis. The standalone selling price is determined based on the price at which the performance obligation either is sold separately or, if not observable through past transactions, is estimated taking into account available information such as market conditions and internally approved pricing guidelines related to the performance obligations. For performance obligations that are not sold separately, standalone selling price is determined based on observable inputs, overall pricing trends, market conditions and other factors, such as the price charged by the Company’s competitors for similar products and services with any necessary or appropriate adjustments.
Subscription revenue
Subscription revenue consists of software-as-a-service (“SaaS”) subscriptions and subscription term-based licenses with related support services.
SaaS subscriptions include standalone sales of SaaS subscription products as well as sales of Rubrik Security Cloud (“RSC”). RSC is a fully-hosted subscription in the case of protection of cloud, SaaS, and unstructured data applications. When RSC is securing enterprise applications, it is a hybrid cloud subscription which includes software hosted from the cloud (as a service) and on-premise software licenses. RSC is accounted for as a single performance obligation because the software hosted from the cloud (as a service) and the on-premise software licenses are not separately identifiable and serve together to fulfill the Company’s promise to RSC customers, which is to provide a single, unified data security solution. The Company’s subscription capabilities are primarily sold as editions which bundle multiple products and include the Foundation Edition, Business Edition, Enterprise Edition, and Enterprise Proactive Edition. Subscription revenue related to SaaS is recognized ratably over the subscription period.
In December 2023, the FASB issued ASU 2023-09, Improvements to Income Tax Disclosures, which requires entities to provide consistent categories and greater disaggregation of information in the rate reconciliation as well as income tax paid disaggregated by jurisdiction to improve the transparency of income tax disclosures. ASU 2023-09 is effective for annual periods beginning after December 15, 2024, on a prospective basis, with early adoption permitted. The Company is assessing the timing and impact of adopting this standard.
In November 2024, the FASB issued ASU 2024-03, Income Statement - Reporting Comprehensive Income - Expense Disaggregation Disclosures, which requires entities to provide disclosures about specific types of expenses included in the expense captions presented on the face of the income statement as well as disclosures about selling expenses. ASU 2024-03 is effective for annual periods beginning after December 15, 2026, and interim periods beginning after December 15, 2027, on either a prospective or retrospective basis, with early adoption permitted. The Company is assessing the timing and impact of adopting this standard.
Note 3 – Revenue by Geography
The geographic regions are the Americas, EMEA (Europe, the Middle East, and Africa) and APAC (Asia Pacific). The Company operates as one segment. The following table sets forth revenue by geographic area based on ship to address (in thousands):
Three Months Ended October 31,
Nine Months Ended October 31,
2024
2023
2024
2023
Americas
$
169,350
$
115,969
$
450,785
$
315,922
EMEA
56,620
43,544
152,710
119,420
APAC
10,208
6,091
24,949
17,537
Total revenue
$
236,178
$
165,604
$
628,444
$
452,879
For the three months ended October 31, 2024 and 2023, United States accounted for $163.6 million and $112.1 million, respectively, or 69% and 68%, respectively, of consolidated total revenue. For the nine months ended October 31, 2024 and 2023, United States accounted for $434.1 million and $305.7 million, respectively, or 69% and 67%, respectively, of consolidated total revenue.
In August 2023, the Company acquired all outstanding stock of Laminar Technologies, Inc. (“Laminar”), a data security posture management platform. The Company accounted for this transaction as a business combination. The acquisition date fair value of the purchase consideration was $104.9 million, of which $90.8 million was paid in cash and the remainder in common stock. The cash consideration of $90.8 million excludes $23.8 million held back by the Company, which is subject to service-based vesting and will be recorded as expense over the period the services are provided. The acquisition of Laminar is to support Rubrik’s leadership position as a data security platform provider and help accelerate the Company’s cyber posture offerings. The Company recorded $11.0 million as an acquired developed technology intangible asset with an estimated useful life of three years and $96.1 million of goodwill which is primarily attributed to assembled workforce as well as the integration of Laminar’s technology with the Company’s technology. The goodwill is not deductible for tax purposes. The remaining assets acquired and liabilities assumed on the acquisition date were not material.
Pro forma results of operations for the business combination have not been presented, as they were not material to the condensed consolidated statements of operations. Acquisition-related costs for the business combination were expensed as incurred within general and administrative expense in the condensed consolidated statements of operations and were not material.
The Company recognized $0.9 million and $0.8 million amortization expense in acquired intangible assets for the three months ended October 31, 2024 and 2023, respectively, and $2.7 million and $0.8 million for the nine months ended October 31, 2024 and 2023, respectively.
Note 5 – Financial Instruments
The Company classifies its financial instruments within the fair value hierarchy based on the lowest level of input that is significant to the fair value measurement. Three levels of input may be used to measure fair value:
•Level 1 – Observable inputs are unadjusted quoted prices in active markets for identical assets or liabilities.
•Level 2 – Observable inputs are quoted for similar assets and liabilities in active markets or inputs other than quoted prices which are observable for the assets or liabilities, either directly or indirectly through market corroboration, for substantially the full term of the financial instruments.
•Level 3 – Unobservable inputs that are supported by little or no market activity and are significant to the fair value of the assets or liabilities. These inputs will be based on the Company’s own assumptions and will require significant management judgement or estimation.
The Company did not have any level 3 investments as of October 31, 2024 and January 31, 2024. The following table summarizes the Company’s cash and available-for-sale marketable securities’ amortized cost, gross unrealized gains, gross unrealized losses, and estimated fair value by significant investment category reported as cash and cash equivalents or short-term investments (in thousands):
The following table summarizes the estimated fair value of the Company’s investments by their remaining contractual maturity dates (in thousands):
October 31, 2024
Due within one year
$
451,938
Due between one to two years
76,143
Total
$
528,081
For available-for-sale debt securities that have unrealized losses, the Company evaluates whether (i) the Company has the intention to sell any of these investments, (ii) it is not more likely than not that the Company will be required to sell any of these available-for-sale debt securities before recovery of the entire amortized cost basis, and (iii) the decline in the fair value of the investment is due to credit or non-credit related factors. Based on this evaluation, the Company determined that for its short-term investments there were no material credit or non-credit related impairments as of October 31, 2024 and January 31, 2024.
Note 6 – Balance Sheet Components
Prepaid Expenses and Other Current Assets
Prepaid expenses and other current assets consisted of the following (in thousands):
Property and equipment, net consisted of the following (in thousands):
October 31,
January 31,
2024
2024
Equipment
$
71,515
$
91,645
Capitalized internal-use software
31,695
21,191
Leasehold improvements
12,559
12,350
Furniture and fixtures
4,679
4,150
Total property and equipment, gross
120,448
129,336
Less: accumulated depreciation and amortization
(71,154)
(81,463)
Total property and equipment, net
$
49,294
$
47,873
Depreciation expense related to the Company’s property and equipment, which did not include amortization expense related to capitalized internal-use software, was $4.3 million and $4.3 million for the three months ended October 31, 2024 and 2023, respectively, and $13.1 million and $12.5 million for the nine months ended October 31, 2024 and 2023, respectively.
Amortization expense relating to capitalized internal-use software was $2.2 million and $1.1 million for the three months ended October 31, 2024 and 2023, respectively, and $5.7 million and $4.5 million for the nine months ended October 31, 2024 and 2023, respectively.
Accrued Expenses and Other Current Liabilities
Accrued expenses and other current liabilities consisted of the following (in thousands):
October 31,
January 31,
2024
2024
Accrued expenses
$
27,318
$
41,773
Accrued bonuses
36,985
31,212
Accrued sales commissions
13,159
18,859
Accrued payroll-related expenses, taxes, and benefits
31,854
20,197
Operating lease liabilities
9,387
10,461
Other
2,461
432
Total accrued expenses and other current liabilities
$
121,164
$
122,934
Note 7 – Debt
Term Loan
In June 2022, the Company entered into a credit agreement with a consortium of lenders for a total $195.0 million revolving credit facility (the “Prior Credit Facility”) consisting of a $175.0 million term loan (the “Prior Closing Date Term Loan”) and $20.0 million in committed delayed-draw term loans (the “Prior Delayed Draw Term Loans”) with a maturity date of June 10, 2027. The proceeds of the Prior Delayed Draw Term Loans were to be used to pay accrued interest relating to the Prior Credit Facility. The Company also had the option to request incremental Delayed Draw Term Loan commitments (the “Prior Supplemental Delayed Draw Term Loans” and, together with the Prior Delayed Draw Term Loans and the Prior Closing Date Term Loan, collectively, the “Prior Loans”). The terms of the Prior Supplemental Delayed Draw Term Loans were identical to the Prior Delayed Draw Term Loans. The Company borrowed the full $175.0 million Prior Closing Date Term Loan with a closing date of June 10, 2022 and incurred $4.3 million debt discount and issuance costs.
Under the Prior Credit Facility, interest accrued on the Prior Loans, at the Company’s election made at the time of borrowing, at either the Alternate Base Rate (“ABR”) or Secured Overnight Financing Rate (“SOFR”). The Company also had the option to convert all or a portion of the outstanding principal amount to/from a SOFR-based loan to/from an ABR-based loan after the initial election. ABR loans had an annual interest rate equal to ABR plus 5.5%. ABR is a fluctuating interest rate per annum equal to the highest of: (i) prime rate, (ii) federal funds rate plus 0.5%, or (iii) Term SOFR for one month plus 1.0%. SOFR loans had an annual interest rate equal to Term SOFR plus 6.5%. Term SOFR is a rate per annum equal to the greater of: (i) the floor of 1.0% or (ii) the sum of Term SOFR Reference Rate plus Term SOFR Adjustment applicable to the comparable Interest Period (as defined in the June 2022 credit agreement). The Company had the option to elect an Interest Period of one, three, or six months on the SOFR loans as long as the election did not extend beyond the maturity date of June 10, 2027. The annual interest rate was subject to a 0.5% increase and separately, a 0.5% decrease depending on certain actions by the Company.
Interest on ABR loans was payable quarterly in arrears. Interest on SOFR loans was payable on the last day of each Interest Period, but if the interest period was more than three months, interest was payable on the last day of each three-month interval after the first day of such Interest Period.
In August 2023, the Company executed an amended and restated credit agreement with a consortium of lenders for a total $330.0 million revolving credit facility (the “Amended Credit Facility”) consisting of a $289.5 million term loan (the “Amended Term Loan”) and $40.5 million in committed delayed draw term loan (the “Amended Delayed Draw Term Loan”) with a maturity date of August 17, 2028. The Amended Credit Facility replaced the Prior Credit Facility. Immediately prior to the closing date of the Amended Credit Facility, the Company had an outstanding balance under the Prior Credit Facility of $193.6 million which consisted of $189.5 million of the Prior Loans and $4.1 million of unpaid interest under the Prior Credit Facility. The Company borrowed the full $289.5 million Amended Term Loan and used a portion to replace and refinance the full $189.5 million of the Prior Loans. The Company borrowed $4.1 million under the Amended Delayed Draw Term Loan to fund the unpaid interest under the Prior Credit Facility. The Company incurred $3.5 million debt discount costs in relation to the Amended Credit Facility.
The interest terms under the Amended Credit Facility are identical to the interest terms under the Prior Credit Facility except the ABR loan has an annual interest rate equal to ABR plus 6.0%, the SOFR loan has an annual interest rate equal to Term SOFR plus 7.0%, and the maturity date is August 17, 2028.
Under the Amended Credit Facility, the prepayment starts at 1.5% and reduces to zero beginning on the third anniversary from the closing date. Any amounts drawn and repaid or prepaid under the Amended Credit Facility may not be reborrowed.
The Company will have the option to fund up to 100.0% of cash interest with the proceeds of the Amended Delayed Draw Term Loan, subject to a 0.5% increase in the annual interest rate effective from the date of funding for 90 days, or 180 days if the Interest Period for such Amended Delayed Draw Term Loan is six months from the date of funding (the “Amended DDTL Utilization Interest Increase”).
Under the Amended Credit Facility, the annual interest rate on all outstanding principal amounts will be reduced by 0.5% if the Company’s Annualized Subscription Recurring Revenue (as defined in the amended credit agreement, "ASRR") is at least $500.0 million and the Company delivers a compliance certificate in accordance with the amended credit agreement (the “Amended ASRR Interest Decrease”).
The amended credit agreement contains certain covenants that require the Company, among other things, to maintain a specified minimum liquidity amount and minimum ASRR amount. Failure to comply with these covenants, along with other non-financial covenants, could result in an event of default, which may lead to acceleration of the amounts owed and/or the enforcement of other remedies by the lenders.
The Company had $6.9 million of debt discount and issuance costs on the $293.6 million Amended Term Loan and Amended Delayed Draw Term Loan as of August 17, 2023. The debt discount and issuance costs were recorded as a direct deduction from the long-term debt liability and are amortized into interest expense over the contractual term of the Amended Credit Facility.
Under the Amended Delayed Draw Term Loan, the Company borrowed $9.9 million and $4.1 million for the three months ended October 31, 2024 and 2023, respectively, and $29.1 million and $10.1 million for the nine months ended October 31, 2024 and 2023, respectively.
As of October 31, 2024 and January 31, 2024, the Company was in compliance with all of its debt covenants.
In April 2024, the Company entered into a purchase agreement with Goldman Sachs & Co. LLC and Barclays Capital Inc. (collectively, the “Purchasers”) for the Company to issue senior notes (the “Bridge Notes”) to the Purchasers for up to $450.0 million. The Company issued the Bridge Notes and received the funding from the Purchasers on April 25, 2024 (the “Funding Date”) in an aggregate amount of $321.4 million to fund a portion of the tax withholding and remittance obligations related to the settlement of RSUs in connection with the IPO. The Bridge Notes matured on April 29, 2024 (the “IPO Settlement Date”) and carried an annual interest rate of 7.0% starting from the Funding Date up to but excluding the date of repayment.
The Company incurred $0.6 million of discount and issuance costs in connection with the issuance of Bridge Notes and recorded it as a direct deduction from the Bridge Notes liability on the date of issuance.
On April 29, 2024, the Company repaid the outstanding principal amount of the Bridge Notes, including $0.2 million of accrued and unpaid interest which was recorded as interest expense. The aggregate unamortized amount of discount and issuance costs was fully amortized into interest expense for the three months ended April 30, 2024.
Note 8 – Commitments and Contingencies
Purchase Commitments
As of October 31, 2024, there were no significant changes outside the ordinary course of business to the Company's commitments and purchase obligations since January 31, 2024.
Litigation
From time to time, the Company receives inquiries and/or claims or is involved in legal disputes and/or matters. In the opinion of management, any liabilities resulting from these claims will not have a material adverse effect on the Company’s condensed consolidated balance sheets, condensed consolidated statements of operations, or condensed consolidated statements of cash flows.
Warranties and Indemnifications
The Company provides to qualifying customers a services warranty program for recovery of certain expenses related to data recovery and restoration in the event that data backed up using the Company’s solutions cannot be recovered following a ransomware attack. To date, costs relating to the warranty program have not been material.
The Company typically provides indemnification to customers for certain losses suffered or expenses incurred as a result of third-party claims arising from the Company’s infringement of a third-party’s intellectual property. Certain of these indemnification provisions survive termination or the expiration of the applicable agreement. The Company has not incurred a material liability relating to these indemnification provisions, and therefore, has not recorded a liability during any period for these indemnification provisions.
Note 9 – Redeemable Convertible Preferred Stock
Immediately prior to the closing of the IPO, all 74,182,559 shares of the Company's redeemable convertible preferred stock outstanding were automatically converted into an equivalent number of shares of Class B common stock on a one-to-one basis, and their carrying value of $714.7 million was reclassified into stockholders' equity. As of October 31, 2024, there were no shares of redeemable convertible preferred stock issued and outstanding.
Note 10 – Stockholders’ Deficit
Preferred Stock
In connection with the IPO, the Company’s amended and restated certificate of incorporation became effective, which authorized the issuance of 20,000,000 shares of undesignated preferred stock with a par value of $0.000025 per share with rights and preferences, including voting rights, designated from time to time by the board of directors.
The Company has two classes of common stock – Class A common stock and Class B common stock. In connection with the IPO, the Company’s amended and restated certificate of incorporation authorized the issuance of 1,070,000,000 shares of Class A common stock and 210,000,000 shares of Class B common stock. The shares of Class A common stock and Class B common stock are identical, except with respect to voting, conversion, and transfer rights. Each share of Class A common stock is entitled to one vote. Each share of Class B common stock is entitled to 20 votes. Class A and Class B common stock have a par value of $0.000025 per share, and are referred to collectively as common stock throughout the notes to the condensed consolidated financial statements, unless otherwise noted. Holders of common stock are entitled to receive any dividends as may be declared from time to time by the board of directors.
Each share of Class B common stock is convertible at any time at the option of the holder into one share of Class A common stock. Any holder’s shares of Class B common stock will convert automatically to Class A common stock, on a one-to-one basis, upon the earliest to occur following the Company's IPO: (i) sale or transfer of such share of Class B common stock, except for permitted transfers as described in the amended and restated certificate of incorporation; (ii) the death or incapacity of the Class B common stockholder (or 180 days following the date of the death or incapacity if the stockholder is one of the Company’s founders); and (iii) on the final conversion date, defined as the earliest of (a) the date fixed by the Company's board of directors that is no less than 61 days and no more than 180 days following the date on which the outstanding shares of Class B common stock represent less than 5% of the then outstanding shares of Class A and Class B common stock; (b) the last trading day of the fiscal year following the tenth anniversary of the effectiveness of the registration statement in connection with the Company’s IPO; (c) the date fixed by the Company’s board of directors that is no less than 61 days and no more than 180 days following the date that Bipul Sinha is no longer providing services to the Company as an officer, employee, or director; (d) the date fixed by the board of directors that is no less than 61 days and no more than 180 days following the death or incapacity of Mr. Sinha; or (e) the date specified by a vote of the holders of a majority of the outstanding shares of Class B common stock.
Immediately prior to the closing of the IPO, all 5,400,000 shares of the Company’s convertible founder stock outstanding were automatically converted into an equal number of shares of Class B common stock. As of October 31, 2024, there were no shares of convertible founder stock issued and outstanding.
Equity Incentive Plan
In January 2014, the Company adopted the 2014 Stock Option and Grant Plan, as amended (the “2014 Plan”). The 2014 Plan permits the grant of incentive stock options, non-qualified stock options, restricted stock awards, unrestricted stock awards, or RSU awards based on, or related to, shares of the Company’s common stock. The 2014 Plan was terminated in April 2024 in connection with the IPO, but continues to govern the terms of outstanding awards that were granted prior to the termination of the 2014 Plan. No further equity awards will be granted under the 2014 Plan. With the establishment of the 2024 Equity Incentive Plan (the “2024 Plan”), upon the expiration, forfeiture, cancellation, or reacquisition of any shares of Class B common stock underlying outstanding equity awards granted under the 2014 Plan, an equal number of shares of Class A common stock will become available for grant under the 2024 Plan. As of October 31, 2024, 32,559,134 shares of Class B common stock granted under the 2014 Plan remain outstanding.
In March 2024, the Company's board of directors adopted, and in April 2024, the Company's stockholders approved, the 2024 Plan, which became effective in connection with the Company’s IPO. The 2024 Plan provides for the grant of incentive stock options, nonqualified stock options, stock appreciation rights, restricted stock awards, RSU awards, performance-based awards, and other forms of awards to employees, non-employee directors and consultants, and employees and consultants of the Company's affiliates. A total of 46,073,027 shares of the Company’s Class A common stock have been reserved for future issuance under the 2024 Plan in addition to (i) shares underlying outstanding equity awards granted under the 2014 Plan that expire, or are forfeited, cancelled, or reacquired, as described above, and (ii) any automatic increases in the number of shares of Class A common stock reserved for future issuance under this plan. As of October 31, 2024, 61,430,628 shares were available for future issuance under the 2024 Plan.
In March 2024, the board of directors adopted, and in April 2024, the stockholders approved, the 2024 Employee Stock Purchase Plan (the “2024 ESPP” or the "ESPP"), which became effective in connection with the Company’s IPO. The 2024 ESPP authorizes the issuance of shares of Class A common stock pursuant to purchase rights granted to employees. A total of 4,607,303 shares of the Company’s Class A common stock have been reserved for future issuance under the 2024 ESPP, in addition to any automatic increases in the number of shares of Class A common stock reserved for future issuance under this plan. As of October 31, 2024, 4,200,534 shares were available for future issuance under the 2024 ESPP.
Stock Options
Options issued under the Company's 2014 Plan and 2024 Plan generally are exercisable for periods not to exceed 10 years and generally vest over four years with 25% vesting after one year and the remainder vesting monthly thereafter in equal installments.
A summary of the stock option activity and related information is as follows:
Number of Options
Weighted- Average Exercise Price
Weighted- Average Remaining Contractual Term (years)
Aggregate Intrinsic Value (in thousands)
Outstanding as of January 31, 2024
3,185,020
$
6.23
4.2
$
71,347
Granted
8,000,000
32.00
Exercised
(1,168,397)
5.64
31,720
Cancelled
(31,291)
15.92
Outstanding as of October 31, 2024
9,985,332
$
26.91
8.3
$
143,248
Vested and exercisable as of October 31, 2024
1,921,675
$
5.95
3.4
$
67,848
There were no options with only a service-based vesting condition granted during the nine months ended October 31, 2024 and 2023.
The intrinsic value of the options exercised represents the difference between the estimated fair market value of the Company’s common stock on the date of exercise and the exercise price of each option.
As of October 31, 2024, there was approximately $111.8 million of unrecognized stock-based compensation expense related to stock options, which is expected to be recognized over a weighted-average period of 2.5 years.
CEO Performance Award
In June 2022, the Company’s board of directors approved the grant of a stock option under the 2014 Plan to the Company's CEO, Mr. Sinha, to purchase up to 8,000,000 of Class B common stock, contingent and effective upon a listing event, which includes the Company's IPO (the “CEO Performance Award” or "the Award"). The CEO Performance Award was granted upon the Company's IPO in April 2024.
The CEO Performance Award consists of 10 tranches that may be earned as specified in the table below, subject to both 1) a service-based condition and 2) the achievement of Target Stock Value prior to the applicable Option Valuation Expiration Date. Stock price measurement will not commence until the expiration of any lock-up period. Target Stock Value with respect to the Award is based on the percentage of the IPO Price and will be achieved on the date when the volume-weighted average price of the Company's Class A common stock over a period of 90 consecutive days equals or exceeds the applicable Target Stock Value. The exercise price per share of the Award is the IPO Price. Each tranche of the Award will vest on the first date following satisfaction of both the service-based condition and the Target Stock Value subject to Mr. Sinha's continued service with the Company. The shares underlying each tranche will satisfy the service-based condition in 20 equal quarterly installments beginning in January 2022 and will expire in 10 years after the grant date.
The Company calculated the grant date fair value of the CEO Performance Award based on multiple stock price paths developed through the use of a Monte Carlo simulation model. A Monte Carlo simulation model also calculates a derived service period for each of the 10 vesting tranches, which is the measure of the expected time to achieve each Target Stock value under the scenarios where the Target Stock Value is in fact achieved prior to the Option Valuation Expiration Date. A Monte Carlo simulation model requires the use of various assumptions, including the underlying stock price, volatility, and the risk-free interest rate as of the valuation date, corresponding to the time to expiration of the options, and expected dividend yield. The weighted-average grant date fair value of the CEO Performance Award was $17.37 per share. The Company will recognize total stock-based compensation expense of $139.0 million over the derived service period of each tranche, which is between 1.2 to 4.5 years, using the accelerated attribution method as long as the CEO satisfies the service-based vesting condition. If the Target Stock Value is met sooner than the derived service period, the Company will adjust its stock-based compensation to reflect the cumulative expense associated with the vested awards. Provided that Mr. Sinha continues to be the Company's CEO, the Company will recognize stock-based compensation expense over the requisite service period, regardless of whether the Target Stock Values are achieved.
Restricted Stock Units
The Company grants service-based condition RSUs, service- and performance-based conditions RSUs, and service-, market-, and performance-based conditions RSUs. RSUs issued under the 2014 Plan typically have an expiry period of seven years from the grant date.
A summary of the RSU activity and related information is as follows:
Number of RSUs
Weighted-Average Grant Date Fair Value
Outstanding as of January 31, 2024
50,191,670
$
16.09
Granted
11,325,046
30.97
Vested
(35,887,817)
14.17
Forfeited
(2,344,247)
22.79
Unvested as of October 31, 2024
23,284,652
$
25.51
Vested and not yet released
1,179,941
5.79
Outstanding as of October 31, 2024
24,464,593
$
24.55
In February 2024, we modified an existing service- performance-, and market-based condition equity award of 1,158,082 RSUs by extending the expiration date from May 2, 2025 to May 2, 2028. The performance-based condition related to the occurrence of a qualifying event was satisfied at the completion of the Company's IPO. The total incremental fair value resulting from the modification was $24.1 million and the total stock-based compensation expense of the equity award of $30.4 million is recorded over the requisite service period. As of October 31, 2024, the Company has recognized all stock-based compensation expense for this equity award.
For the nine months ended October 31, 2024 and 2023, the total grant date fair value of vested RSUs was $508.7 million and zero, respectively.
As of October 31, 2024, there was approximately $337.0 million of unrecognized stock-based compensation expense related to RSUs, which is expected to be recognized over a weighted-average period of 1.9 years.
2024 Employee Stock Purchase Plan
In April 2024, the Company's 2024 ESPP became effective. A total of 4,607,303 shares of Class A common stock were initially reserved for issuance under the ESPP. The number of shares of Class A common stock reserved for issuance under the 2024 ESPP will automatically increase on February 1 of each fiscal year, beginning on February 1, 2025 and ending on and including February 1, 2034, by the lesser of (1) one percent (1%) of the aggregate number of shares of common stock of all classes issued and outstanding on January 31 of the preceding fiscal year, (2) 9,214,605 shares, or (3) a lesser number of shares determined by the Company's board of directors.
The 2024 ESPP allows eligible employees to purchase shares of Class A common stock at a discount through payroll deductions of up to 15% of their eligible compensation, subject to any plan limitations. Except for the initial offering period, the 2024 ESPP provides for 24-month offering periods beginning March 21 and September 21 of each year, and each offering period will consist of foursix-month purchase periods. The initial offering period began April 24, 2024, and will end on March 20, 2026.
On each purchase date, eligible employees will purchase Class A common stock at a price per share equal to 85% of the lesser of (1) the fair market value of the Class A common stock on the offering date, or (2) the fair market value of the Class A common stock on the purchase date. For the first offering period, which began on April 24, 2024, the fair market value of the Class A common stock on the offering date was $32.00, the price at which the Company's common stock was first sold to the public in the IPO, as specified in the final prospectus filed with the SEC on April 26, 2024, pursuant to Rule 424(b).
The Company estimated the fair value of ESPP purchase rights using a Black-Scholes option-pricing model with the following assumptions:
Three Months Ended
Nine Months Ended
October 31, 2024
October 31, 2024
Expected term (in years)
0.5 - 2.0
0.4 - 2.0
Expected volatility
56.5% - 69.1%
56.5% - 71.7%
Risk-free interest rate
3.6% - 4.4%
3.6% - 5.4%
Dividend yield
—
—
These assumptions and estimates were determined in accordance with the Company’s stock-based compensation expense policy within Note 2, Summary of Significant Accounting Policies in the notes to the consolidated financial statements in the Company’s Final Prospectus except as follows:
•Fair Value of common stock – After the completion of the Company’s IPO, the fair value of each share of the underlying common stock is based on the closing price of our Class A common stock as reported on the New York Stock Exchange on the date of the grant.
•Expected term – The ESPP purchase is made every six months during the 24-months offering period and the expected term coincides with the length of each purchase period.
As of October 31, 2024, there was approximately $17.0 million of unrecognized stock-based compensation expense related to the ESPP, which is expected to be recognized over a weighted-average period of 1.0 years.
Stock-Based Compensation Expense
Total stock-based compensation expense included in the Company’s condensed consolidated statements of operations was as follows (in thousands):
Three Months Ended October 31,
Nine Months Ended October 31,
2024
2023
2024
2023
Cost of revenue
Subscription
$
4,684
$
39
$
45,358
$
43
Maintenance
196
7
2,939
7
Other
1,075
2
13,603
8
Research and development
23,088
191
275,562
994
Sales and marketing
27,468
268
301,611
1,030
General and administrative
36,016
145
188,802
202
Total stock-based compensation expense
$
92,527
$
652
$
827,875
$
2,284
Note 11 – Net Loss Per Share
The Company computes net loss per share of common stock in conformity with the two-class method required for participating securities and multiple classes of common stock. Prior to the automatic conversion of all of the Company's redeemable convertible preferred stock outstanding into Class B common stock upon the completion of the IPO, the Company considered all series of its redeemable convertible preferred stock to be participating securities as the holders of the redeemable convertible preferred stock were entitled to receive a non-cumulative dividend on a pari passu basis in the event that a dividend is paid on the common stock. Under the two-class method, the net loss attributable to common stockholders was not allocated to the redeemable convertible preferred stock as the preferred stockholders did not have a contractual obligation to share in the Company’s losses.
Basic net loss per share attributable to common stockholders is computed by dividing the net loss attributable to common stockholders by the weighted-average number of shares of common stock outstanding during the period. Diluted net loss per share is computed by giving effect to all potential shares of common stock, including redeemable convertible preferred stock, issued and outstanding common stock options, unvested RSUs issued and outstanding, and ESPP, to the extent they are dilutive.
The rights, including the liquidation and dividend rights, of the holders of Class A and Class B common stock are identical, except with respect to voting, conversion, and transfer rights. As the liquidation and dividend rights are identical, the undistributed earnings are allocated on a proportionate basis to each class of common stock and the resulting basic and diluted net loss per share attributable to common stockholders are, therefore, the same for both Class A and Class B common stock on both individual and combined basis.
The following table presents the calculation of basic and diluted net loss per share (in thousands, except per share amounts):
Three Months Ended October 31,
2024
2023
Class A
Class B
Class A
Class B
Numerator:
Net loss
$
(53,934)
$
(76,976)
$
—
$
(86,267)
Denominator:
Weighted-average common stock shares used in computing net loss per share, basic and diluted
75,638
107,952
—
55,623
Weighted-average founders stock shares used in computing net loss per share, basic and diluted
—
—
—
5,400
Net loss per common stock share, basic and diluted
$
(0.71)
$
(0.71)
$
—
$
(1.41)
Net loss per founders stock share, basic and diluted
$
—
$
—
$
—
$
(1.41)
Nine Months Ended October 31,
2024
2023
Class A
Class B
Class A
Class B
Numerator:
Net loss
$
(327,198)
$
(712,733)
$
—
$
(256,661)
Denominator:
Weighted-average common stock shares used in computing net loss per share, basic and diluted
44,988
97,997
—
55,025
Weighted-average founders stock shares used in computing net loss per share, basic and diluted
—
—
—
5,400
Net loss per common stock share, basic and diluted
$
(7.27)
$
(7.27)
$
—
$
(4.25)
Net loss per founders stock share, basic and diluted
$
—
$
—
$
—
$
(4.25)
The following outstanding potentially dilutive securities were excluded from the computation of diluted net loss per share for the periods presented because the impact of including them would have been antidilutive (in thousands):
Three Months Ended October 31,
Nine Months Ended October 31,
2024
2023
2024
2023
Redeemable convertible preferred stock
—
74,183
—
74,183
Issued and outstanding common stock options
9,985
3,240
9,985
3,240
Unvested RSUs issued and outstanding
23,285
48,482
23,285
48,482
Total
33,270
125,905
33,270
125,905
Note 12 – Income Taxes
The Company recorded a tax expense of $1.9 million and $15.0 million for the three months ended October 31, 2024 and 2023, respectively, and $5.1 million and $19.3 million for the nine months ended October 31, 2024 and 2023, respectively. For the three months ended October 31, 2024, the income tax provision consisted of taxes on the income of the Company's foreign subsidiaries, foreign withholding taxes, and U.S. state taxes. For the three months ended October 31, 2023, the income tax provision consisted of taxes on the income of the Company's foreign subsidiaries, foreign withholding taxes, and U.S. state taxes, as well as the impact of integrating the operations of Laminar. For the nine months ended October 31, 2024, the income tax provision consisted of taxes on the income of the Company’s foreign subsidiaries, foreign withholding taxes, and U.S. state taxes partially offset by a U.S. federal & state tax benefit as a result of several of the Company's foreign subsidiaries making an election in the current year to be treated as U.S.
branches for federal income tax purposes effective in the fiscal year ended January 31, 2024. For the nine months ended October 31, 2023, the income tax provision consisted of taxes on the income of the Company's foreign subsidiaries, foreign withholding taxes, and U.S. state taxes as well as the impact of integrating the operations of Laminar.
As of October 31, 2024, the Company maintained a full valuation allowance on its U.S. federal and state net deferred tax assets as it was more likely than not that those deferred tax assets will not be realized.
Item 2. Management’s Discussion and Analysis of Financial Condition and Results of Operations
The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our unaudited condensed consolidated financial statements and related notes appearing elsewhere in this Quarterly Report on Form 10-Q and our audited consolidated financial statements and the related notes and the discussion under the heading "Management's Discussion and Analysis of Financial Condition and Results of Operations" for the fiscal year ended January 31, 2024 included in the final prospectus for our initial public offering (IPO) dated as of April 24, 2024 and filed with the Securities and Exchange Commission (SEC), pursuant to Rule 424(b)(4) on April 26, 2024 ("Final Prospectus"). Some of the information contained in this discussion and analysis, including information with respect to our planned investments in our research and development, sales and marketing, and general and administrative functions, includes forward-looking statements that involve risks and uncertainties as described under the heading “Special Note About Forward-Looking Statements” in this Quarterly Report on Form 10-Q. You should review the disclosure under the heading “Risk Factors” in this Quarterly Report on Form 10-Q for a discussion of important factors that could cause our actual results to differ materially from those anticipated in these forward-looking statements.
Unless the context otherwise requires, all references in this Quarterly Report on Form 10-Q to “we,” “us,” “our,” “our company,” and “Rubrik” refer to Rubrik, Inc. and its consolidated subsidiaries. Unless otherwise indicated, references to our “common stock” include our Class A common stock and Class B common stock.
Overview
We are on a mission to secure the world’s data.
Cyberattacks are inevitable. Realizing that cyberattacks ultimately target data, we created Zero Trust Data Security to deliver cyber resilience so that organizations can secure their data across the cloud and recover from cyberattacks. We believe that the future of cybersecurity is data security—if your data is secure, your business is resilient.
We built Rubrik Security Cloud ("RSC") with Zero Trust design principles to secure data across enterprise, cloud, and SaaS applications. RSC delivers a cloud native SaaS platform that detects, analyzes, and remediates data security risks and unauthorized user activities. Our platform is architected to help organizations achieve cyber resilience, which encompasses cyber posture and cyber recovery. We enable organizations to confidently accelerate digital transformation and leverage the cloud to realize business agility.
We launched our first enterprise software product, Converged Data Management, in fiscal 2016, which combined data and metadata together into a single layer of software to offer Zero Trust data protection, and sold it as a perpetual license along with associated maintenance contracts. In fiscal 2019, we extended data protection to cloud native applications and rebranded Converged Data Management to Cloud Data Management ("CDM"). Data protection for cloud native applications are sold as a SaaS subscription product. In addition, we began offering new SaaS subscription products, Anomaly Detection and Sensitive Data Monitoring. In fiscal 2020, we continued our business evolution to a subscription pricing model by offering our CDM platform as a subscription term-based license with associated support. Included in this subscription term-based license was the right to next generation Rubrik-branded commodity servers ("Rubrik-branded Appliances") at no cost for qualified customers ("Refresh Rights"). As of February 1, 2022, we stopped offering CDM as a perpetual license.
In fiscal 2023, to meet customer demands for data security and a single, unified cloud-based control plane, we launched RSC, a comprehensive Zero Trust Data Security platform. RSC culminates our early vision of providing one point of control to secure data across enterprise, cloud, and SaaS applications. RSC is primarily adopted by our customers as a cloud-native, fully managed SaaS solution. It is also available as an enterprise-ready, self-managed version ("RSC-Private"), for a few select customers that are subject to stringent data control policies. For U.S. public sector organizations, we also offer a specialized cloud-native fully managed SaaS solution called RSC-Government.
We began transitioning customers from our legacy CDM capabilities to RSC, which is offered on a subscription basis, in fiscal 2023. As part of this business transition, we began transitioning the sale of Rubrik-branded Appliances from us to our contract manufacturers and stopped offering the Refresh Rights as part of our subscription offerings. In lieu of the outstanding Refresh Rights, upon qualification, we offer Subscription Credits, with an associated expiration date, which, when utilized, are an offset against Subscription ARR and revenue. As of the end of fiscal 2024, RSC represented a majority of our total revenue.
We recognize revenue from the sales of our RSC platform (excluding RSC-Private) ratably over the term of the subscription. We recognize a portion of revenue from sales of RSC-Private upon delivery and the remainder ratably over the term of the subscription. The majority of sales of our subscriptions are for three-year terms with upfront payment, and renewals are typically for one-year terms.
We expect new and existing customers to increasingly adopt RSC. Our new customers have generally been rapidly adopting the RSC platform. We are actively migrating our existing customers from our legacy CDM capabilities to RSC. As part of this migration, we expect certain existing customers to consume our platform and products through a mix of RSC and a transitional CDM license ("RCDM-T"), during which time we expect to continue recognizing a portion of the associated revenue from these customers upfront at the time we transfer control of the license to the customer. We cannot predict how long these customers will use this mix before they complete their transition. Our revenue will fluctuate when qualified customers choose to exercise or forfeit their Subscription Credits (which are customer options that are accounted for as material rights) upon their associated expiration date.
Our Go-to-Market Strategy
We utilize a land and expand approach, acquiring new customers and expanding with existing customers. We sell our products through subscription editions and can land in four distinct ways by securing private cloud (which we refer to as enterprise), enterprise Network-Attached Storage ("enterprise NAS" or what we refer to as unstructured data), cloud, and SaaS applications. After the initial purchase, our customers often expand the adoption of our platform within their organization. Expansion happens along three vectors: the growth of data from applications already secured by Rubrik, new applications secured, and additional data security products. This expansion is driven by a natural flywheel effect in which the value of our platform increases as our customers’ data grows across various applications. As organizations manage more data with RSC and adopt additional data security products, they gain deeper insights into their data, strengthen their overall security posture, and reduce compliance risk, thereby increasing their overall affinity with Rubrik and driving further adoption.
Key Factors Affecting Our Performance
Evolution of the Market and Adoption of Our Solutions
Our future success depends in part on the market adoption of our approach to Zero Trust Data Security. Many organizations have focused on preventing cyberattacks instead of protecting their data and having a plan to recover it in case of a cyberattack. We believe that the existing security ecosystem lacks a data security platform that will secure a customer’s data, wherever it lives, across enterprise, cloud, and SaaS applications. RSC is our Zero Trust Data Security platform that addresses the growing demand from organizations of virtually any size, across a wide range of industries, to address data security and cyberattack risks. As the data security market continues to evolve, we expect to continuously innovate our platform and product functionality to keep us in a strong position to capture the large opportunity ahead.
New Customer Acquisition
Our business model relies on rapidly and efficiently engaging with new customers. Our ability to attract new customers will depend on a number of factors, including our ability to innovate upon our product breadth and capabilities, our success in recruiting and scaling our sales and marketing organization, our ability to accelerate ramp time of our sales force, our ability to develop and maintain strong partnerships, the impact of marketing efforts to enhance our brand, and competitive dynamics in our target markets.
Retaining and Expanding Within Our Existing Customer Base
Our ability to retain customers and expand within existing customers is integral to our growth and future success. Our growing base of customers represents a significant opportunity for further expansion across our platform. Our customers typically start with securing data in one or more applications on our platform, and then expand by securing additional applications and increasing the amount of data secured. They further extend their use of our platform through adoption of additional security products. Several of our largest customers have deployed our platform to protect enterprise, unstructured data, cloud, and SaaS applications, securing large amounts of their data. Our ability to expand and extend within our customer base depends on, and has been impacted by, a number of factors, including platform performance, our customers’ satisfaction with our platform, competitive offerings, pricing, overall changes in our customers’ spending levels, and the effectiveness of our efforts to help our customers realize the benefits of our platform.
Key Business Metrics
We monitor the following key business metrics to help us evaluate our business.
Subscription ARR is calculated as the annualized value of our active subscription contracts as of the measurement date, assuming any contract that expires during the next 12 months is renewed on existing terms. Subscription contracts include offerings for our RSC platform and related SaaS products, term-based licenses for our RSC-Private platform and related products, prior sales of CDM sold as a subscription term-based license with associated support and related SaaS products, and standalone sales of our SaaS subscription products like Anomaly Detection and Sensitive Data Monitoring. We believe Subscription ARR illustrates our success in acquiring new subscription customers and maintaining and expanding our relationships with existing subscription customers.
The following table sets forth our Subscription ARR as of the dates presented:
October 31,
2024
2023
(in thousands, except percentages)
Subscription ARR
$
1,002,252
$
724,811
% growth
38
%
58
%
Subscription ARR does not include any maintenance revenue associated with perpetual licenses, which we generally no longer offer. Of the 38% and 58% growth, 2.0 percentage points and approximately 6.0 percentage points of growth for the twelve months ended October 31, 2024 and 2023, respectively, were a result of transitioning our existing maintenance customers to our subscription editions. We expect the contributions to growth from these transitions to subside in fiscal 2026.
Cloud Annual Recurring Revenue, or Cloud ARR
Cloud ARR is calculated as the annualized value of our active cloud-based subscription contracts as of the measurement date, based on our customers’ total contract value, and assuming any contract that expires during the next 12 months is renewed on existing terms. Our cloud-based subscription contracts include RSC and RSC-Government (excluding RSC-Private). Cloud ARR also includes SaaS subscription products like Anomaly Detection and Sensitive Data Monitoring, which are sold standalone or with prior sales of term-based license offerings of CDM. We believe that Cloud ARR provides important information on new and existing customers purchasing new RSC subscription offerings and existing subscription term-based license customers renewing with RSC subscription offerings.
The following table sets forth our Cloud ARR as of the dates presented:
October 31,
2024
2023
(in thousands, except percentages)
Cloud ARR
$
768,838
$
454,866
% growth
69
%
164
%
Average Subscription Dollar-Based Net Retention Rate
Our average subscription dollar-based net retention rate compares our Subscription ARR from the same set of subscription customers across comparable periods. We calculate our average subscription dollar-based net retention rate by first identifying subscription customers (the "Prior Period Subscription Customers") that were subscription customers at the end of a particular quarter (the "Prior Period") and calculate the Subscription ARR from the Prior Period Subscription Customers. We then calculate the Subscription ARR from these Prior Period Subscription Customers at the end of the same quarter of the subsequent year (the "Current Period"). This calculation captures upsells, contraction, and attrition since the Prior Period. We then divide total Current Period Subscription ARR by the total Prior Period Subscription ARR for Prior Period Subscription Customers. Our average subscription dollar-based net retention rate in a particular quarter is obtained by averaging the result from that particular quarter with the corresponding results from each of the prior three quarters. We believe that our average subscription dollar-based net retention rate provides useful information about the evolution of our existing customers as they expand through the increase of data from applications we already secure, new applications for us to secure, additional data security products, and conversion of our recurring revenue related to maintenance contracts into subscription revenue.
Our historical average subscription dollar-based net retention rate does not include any maintenance revenue associated with perpetual licenses, which we no longer offer. Like Subscription ARR, our historical average subscription dollar-based net retention rate benefits from the transition of our existing maintenance customers to our subscription editions.
The following table sets forth our average subscription dollar-based net retention rate as of the dates presented:
October 31,
2024
2023
Average subscription dollar-based net retention rate
over 120
%
over 130
%
Customers with $100,000 or More in Subscription ARR
We believe that customers with $100,000 or more in Subscription ARR is a helpful metric in measuring our ability to scale with our customers and the success of our ability to acquire large customers. Additionally, we believe that our ability to increase the number of customers with $100,000 or more in Subscription ARR is a useful indicator of our market penetration and demand for our platform.
The following table sets forth the number of customers with $100,000 or more in Subscription ARR as of the dates presented:
October 31,
2024
2023
Customers with $100,000 or more in Subscription ARR
2,085
1,581
% growth
32
%
53
%
Non-GAAP Financial Measures
We believe that non-GAAP financial measures, when taken collectively, may be helpful to investors because they provide consistency and comparability with past financial performance. However, non-GAAP financial measures are presented for supplemental informational purposes only, have limitations as an analytical tool, and should not be considered in isolation or as a substitute for financial information presented in accordance with GAAP. Other companies, including companies in our industry, may calculate similarly titled non-GAAP financial measures differently or may use other measures to evaluate their performance, all of which could reduce the usefulness of our non-GAAP financial measures as tools for comparison. A reconciliation is provided below for each non-GAAP financial measure to the most directly comparable financial measure stated in accordance with GAAP. Investors are encouraged to review the related GAAP financial measures and the reconciliation of these non-GAAP financial measures to their most directly comparable GAAP financial measures, and not to rely on any single financial measure to evaluate our business.
Free Cash Flow
Free cash flow is a non-GAAP financial measure that we calculate as net cash provided by (used in) operating activities less cash used for purchases of property and equipment and capitalized internal-use software. We believe that free cash flow is a helpful indicator of liquidity that provides information to management and investors about the amount of cash generated or used by our operations that, after the investments in property and equipment and capitalized internal-use software, can be used for strategic initiatives, including investing in our business and strengthening our financial position. The limitation of free cash flow is that it does not reflect our future contractual commitments and may fluctuate due to the timing of cash payments received from our customers and payments relative to expenses, including discretionary cash payments of our debt interest expense pursuant to the terms of our Amended Credit Facility and prepayments of other spend. Additionally, free cash flow is not a substitute for cash used in operating activities, and the utility of free cash flow as a measure of our liquidity is further limited as it does not represent the total increase or decrease in our cash balance for a given period.
Free cash flow was $(53.6) million and $(33.2) million for the nine months ended October 31, 2024 and 2023, respectively. Free cash flow for the nine months ended October 31, 2024 includes a cash outlay of $22.8 million for employer payroll taxes due to the vesting of certain equity awards in conjunction with the initial public offering. Adjusting for employer payroll taxes, the modest improvement in free cash flow was primarily due to higher sales that were offset by higher expenses including expenses associated with our acquisition of Laminar which was completed in August 2023, a decrease in contract term due to the growth of our Cloud and SaaS products, and an increasing mix of annual and consumption payments from customers. This trend when combined with changes in new business growth, may result in free cash flow volatility across periods.
In the longer term, we view continued Subscription ARR growth and our multi-year cash collection as primary drivers of free cash flow. See the risk factor titled “We expect fluctuations in our financial results, making it difficult to project future results, and if we fail to meet the expectations of securities analysts or investors with respect to our results of operations, our stock price and the value of your investment could decline” in the section titled “Risk Factors.”
The following table presents a reconciliation of free cash flow to net cash used in operating activities for the periods presented:
Nine Months Ended October 31,
2024
2023
(in thousands)
Net cash used in operating activities
$
(35,369)
$
(17,288)
Less: Purchases of property and equipment
(11,296)
(9,335)
Less: Capitalized internal-use software
(6,902)
(6,616)
Free cash flow
$
(53,567)
$
(33,239)
Net cash used in investing activities
$
(387,600)
$
(121,999)
Net cash provided by financing activities
$
396,100
$
96,442
Subscription ARR Contribution Margin
We define Subscription ARR Contribution Margin as the Subscription ARR Contribution (as defined below) divided by Subscription ARR at the end of the period. We define Subscription ARR Contribution as Subscription ARR at the end of the period less: (i) our non-GAAP subscription cost of revenue and (ii) our non-GAAP operating expenses for the prior 12-month period ending on that date. In fiscal 2023, we began transitioning customers from our legacy CDM capabilities to our subscription-based RSC offerings. As a result of differing revenue recognition treatment between CDM and RSC, this business transition causes fluctuations to our total revenue growth and limits the comparability of our revenue with past performance. As a result, we measure the performance of our business on the basis of Subscription ARR. We believe that Subscription ARR Contribution Margin is a helpful indicator of operating leverage during this business transition. One limitation of Subscription ARR Contribution Margin is that the factors that impact Subscription ARR will vary from those that impact subscription revenue and, as such, may not provide an accurate indication of our actual or future GAAP results. Additionally, the historical expenses in this calculation may not accurately reflect the costs associated with future commitments.
Subscription ARR Contribution Margin was (3)%, and (14)% for the 12 months ended October 31, 2024 and 2023, respectively. For the 12 months ended October 31, 2024, the non-GAAP expenses includes the recognition of $22.8 million for employer payroll taxes due to the vesting of certain equity awards in conjunction with the initial public offering. Adjusting for this, the Subscription ARR Contribution Margin was (1)% for the 12 months ended October 31, 2024. The increase in Subscription ARR Contribution Margin was primarily driven by the strong year-over-year growth in Subscription ARR, compared to year-over-year growth in non-GAAP subscription costs of sales and non-GAAP operating expenses. We believe that this increase in Subscription ARR Contribution Margin reflects increased operating leverage in our business.
The following table presents the calculation of Subscription ARR Contribution Margin for the periods presented as well as a reconciliation of (i) non-GAAP subscription cost of revenue to cost of revenue and (ii) non-GAAP operating expenses to operating expenses.
Twelve Months Ended October 31,
2024
2023
(in thousands, except percentages)
Subscription cost of revenue
$
196,395
$
87,061
Stock-based compensation expense
(45,360)
(45)
Stock-based compensation from amortization of capitalized internal-use software
We generate revenue primarily from sales of subscriptions and typically invoice our customers at the inception of the contract. Revenue is recognized ratably over the term of the subscription for these sales of RSC subscriptions.
Our revenue will fluctuate based on the timing for transitioning our existing customers to RSC and when qualified customers choose to exercise or forfeit their customer options that are accounted for as material rights. These expected trends, when combined with the transition of the sale of Rubrik-branded Appliances from us to our contract manufacturers, will limit and cause fluctuations to our revenue growth through fiscal 2027. We primarily measure our business on the basis of Subscription ARR, as we believe it best reflects our actual growth and our growth prospects.
Subscription Revenue
Our subscription revenue consists of SaaS subscriptions and subscription term-based licenses with related support services.
SaaS includes SaaS subscription products like Anomaly Detection and Sensitive Data Monitoring sold standalone or with prior sales of term-based license offerings of CDM prior to the launch of the RSC platform as well as sales of RSC. RSC is offered as a fully-hosted subscription or a hybrid cloud subscription. RSC is a fully-hosted subscription in the case of protection of cloud, SaaS, and unstructured data applications. When RSC is securing enterprise applications, it is a hybrid cloud subscription which includes software hosted from the cloud (as a service) and an on-premise license for securing enterprise applications. The hybrid cloud subscription is accounted for as a single performance obligation because the software hosted from the cloud (as a service) and the on-premise software licenses are not separately identifiable and serve together to fulfill our promise to the customer, which is to provide a single, unified data security solution. Our subscription capabilities are primarily sold as editions which bundle multiple products and include the Foundation Edition, Business Edition, Enterprise Edition, and Enterprise Proactive Edition. Subscription revenue related to SaaS is recognized ratably over the subscription period.
Subscription term-based licenses provide our customer with a right to use the software for a fixed term commencing upon delivery of the license to our customer. Support services are bundled with each subscription term-based license for the term of the subscription. Subscription revenue related to subscription term-based licenses includes upfront revenue recognized at the later of the start date of the subscription term-based license and the date when the subscription term-based license is delivered. The remainder of the revenue is recognized ratably over the subscription period for support services, commencing with the date the service is made available to customers.
As customers continue to adopt or transition to RSC, we expect the ratable portion of our subscription revenue to increase. We expect certain customers to consume our platform and products through a mix of RSC and RCDM-T as they complete the migration, which will result in a recognition of a portion of the associated revenue for these customers upfront. Furthermore, our subscription revenue will also fluctuate when qualified customers choose to exercise or forfeit their customer options that are accounted for as material rights. The combination of both of these factors will limit and cause fluctuations in our subscription revenue growth through fiscal 2027, depending in part on the timing of our existing customers’ transition to RSC.
Maintenance Revenue
Maintenance revenue represents fees earned from software updates on a when-and-if-available basis, telephone support, integrated web-based support, and Rubrik-branded Appliance maintenance relating to our perpetual licenses. Maintenance revenue is recognized ratably over the term of the service period. We expect our maintenance revenue to decrease as we drive adoption of RSC for existing maintenance customers.
Other Revenue
Other revenue represents fees earned from sales of Rubrik-branded Appliances and professional services. Revenue for Rubrik-branded Appliances is recognized when shipped to the customer. When we sell our software license with our Rubrik-branded Appliances, revenue for both the Rubrik-branded Appliances and software licenses are recognized at the same time. Revenue related to professional services is typically recognized as the services are performed. In the third quarter of fiscal 2023, we began transitioning the sale of Rubrik-branded Appliances from us to our contract manufacturers. We expect other revenue as a percentage of total revenue to decrease over time as we continue this transition.
Cost of Revenue
Cost of revenue primarily includes employee compensation and related expenses associated with customer support, certain hosting costs, amortization of capitalized internal-use software, and cost of Rubrik-branded Appliances.
Cost of subscription revenue primarily includes employee compensation and related expenses associated with customer support for our subscription offerings, certain hosting costs, and amortization of capitalized internal-use software. We expect our cost of subscription revenue to increase as our subscription revenue increases.
Cost of Maintenance Revenue
Cost of maintenance revenue primarily includes employee compensation and related expenses associated with customer support from our perpetual licenses. Over the long-term, we expect our cost of maintenance revenue to decrease as our maintenance revenue decreases.
Cost of Other Revenue
Cost of other revenue primarily includes the cost of Rubrik-branded Appliances and professional services. We expect cost of other revenue as a percentage of total cost of revenue to decrease due to the sales of Rubrik-branded Appliances transitioning from us to our contract manufacturers.
Gross Profit and Margin
Gross profit is revenue less cost of revenue.
Gross margin is gross profit expressed as a percentage of revenue. Our gross margin has been, and will continue to be, affected by a number of factors, including the mix of subscription term-based licenses, SaaS subscriptions, and other products, when qualified customers choose to exercise or forfeit their customer options that are accounted for as material rights, the timing and extent of our investments in our global customer support organization, certain hosting costs, the amortization of capitalized internal-use software, and stock-based compensation expense. Over time, we expect our gross margin to fluctuate due to the factors described above.
Subscription Gross Margin
With increased adoption of RSC, we expect SaaS revenue to increase as a percentage of total revenue, which we expect will result in an increase in associated hosting costs. As customers adopt RSC, we expect our subscription gross margin to fluctuate through fiscal 2027. This is due to the revenue being recognized ratably over the subscription term rather than a portion being recognized upfront from subscription term-based licenses and associated increases in hosting costs for our SaaS solutions.
Maintenance Gross Margin
We expect maintenance revenue to decrease as a percentage of total revenue, which we expect will result in a decrease in maintenance costs. We expect our maintenance margin to fluctuate until the end of fiscal 2026 as maintenance revenue and related costs decline as customers adopt RSC.
Other Gross Margin
We expect sales of Rubrik-branded Appliances to decrease as we transition the sale from us to contract manufacturers, which will result in a decrease in associated Rubrik-branded Appliance costs. We expect our other gross margin to fluctuate through fiscal 2025 as we are transitioning the sale of Rubrik-branded Appliances from us to our contract manufacturers.
Operating Expenses
Our operating expenses consist of research and development, sales and marketing, and general and administrative expenses. Personnel costs are the most significant component of operating expenses. We also incur other non-personnel costs such as colocation and certain hosting costs, office space costs, fees for third-party professional services, and costs associated with software and subscription services. We expect our operating expenses, exclusive of stock-based compensation expense, to generally decrease as a percentage of revenue over the long term.
Research and Development
Research and development expenses consist primarily of employee compensation and related expenses, net of capitalized amounts, and colocation and certain hosting costs. To capture share in the ever-growing data security market, we expect to continuously innovate our platform and product functionality and will continue to invest in research and development. We expect our research and development expenses will continue to increase as our business grows. We also expect our research and development expenses, exclusive of stock-based compensation, as a percentage of revenue to generally decrease over the long term.
Sales and marketing expenses consist primarily of employee compensation and related expenses including sales commissions, marketing programs, and travel-related costs. We expect our sales and marketing expenses will increase over time and continue to be our largest operating expense for the foreseeable future as we expand our sales force, increase our marketing efforts, and expand into new markets. We also expect our sales and marketing expenses, exclusive of stock-based compensation, as a percentage of revenue to generally decrease over the long term.
General and Administrative
General and administrative expenses consist primarily of employee compensation and related expenses for administrative functions, including finance, legal, human resources, information technology, and fees for third-party professional services. We expect to incur additional general and administrative expenses as a result of operating as a public company, including costs to comply with the rules and regulations applicable to companies listed on a national securities exchange, costs related to compliance and reporting obligations, and increased expenses for investor relations and third-party professional services. We expect that our general and administrative expenses will also increase as our business grows, although we expect our general and administrative expenses, exclusive of stock-based compensation, as a percentage of revenue to generally decrease over the long term.
Other Non-Operating Income (Expense)
Other non-operating income (expense) consists primarily of interest income, interest expense, and foreign exchange gains and losses.
Income Tax Expense
Income tax expense consists primarily of income taxes in certain foreign jurisdictions in which we conduct business, as well as federal and state income taxes in the United States. We have recorded U.S. federal and state net deferred tax assets for which we provide a full valuation allowance, which includes net operating loss carryforwards and tax credits. We expect to maintain this full valuation allowance for the foreseeable future as it is more likely than not that some or all of those deferred tax assets may not be realized based on our history of losses.
The following tables summarize our condensed consolidated statements of operations data for the periods presented. The period-to-period comparison of results is not necessarily indicative of results for future periods.
Three Months Ended October 31,
Nine Months Ended October 31,
2024
2023
2024
2023
(in thousands)
Revenue
Subscription
$
221,511
$
143,363
$
585,021
$
379,217
Maintenance
4,342
8,979
15,027
31,861
Other
10,325
13,262
28,396
41,801
Total revenue
236,178
165,604
628,444
452,879
Cost of revenue
Subscription(1)
46,486
22,697
166,006
67,538
Maintenance(1)
824
1,398
5,473
5,418
Other(1)
8,836
9,613
35,814
32,033
Total cost of revenue
56,146
33,708
207,293
104,989
Gross profit
180,032
131,896
421,151
347,890
Operating expenses
Research and development(1)
80,050
51,372
451,657
147,400
Sales and marketing(1)
158,907
120,847
706,163
353,824
General and administrative(1)
65,862
24,956
281,248
70,061
Total operating expenses
304,819
197,175
1,439,068
571,285
Loss from operations
(124,787)
(65,279)
(1,017,917)
(223,395)
Interest income
7,468
2,934
17,688
8,296
Interest expense
(10,310)
(9,006)
(31,179)
(20,711)
Other income (expense), net
(1,333)
104
(3,406)
(1,574)
Loss before income taxes
(128,962)
(71,247)
(1,034,814)
(237,384)
Income tax expense
1,948
15,020
5,117
19,277
Net loss
$
(130,910)
$
(86,267)
$
(1,039,931)
$
(256,661)
Net loss per share attributable to common shareholders, basic and diluted
$
(0.71)
$
(1.41)
$
(7.27)
$
(4.25)
Weighted-average shares used in computing net loss per share attributable to common shareholders, basic and diluted
183,590
61,023
142,985
60,425
(1) Includes stock-based compensation expense as follows:
The following table sets forth our condensed consolidated statements of operations data expressed as a percentage of revenue for the periods indicated:
Three Months Ended October 31,
Nine Months Ended October 31,
2024
2023
2024
2023
Revenue
Subscription
94
%
87
%
93
%
84
%
Maintenance
2
5
2
7
Other
4
8
5
9
Total revenue
100
100
100
100
Cost of revenue
Subscription
20
14
26
15
Maintenance
1
1
1
1
Other
3
5
6
7
Total cost of revenue
24
20
33
23
Gross profit
76
80
67
77
Operating expenses
Research and development
34
31
72
33
Sales and marketing
67
73
112
78
General and administrative
28
15
45
15
Total operating expenses
129
119
229
126
Loss from operations
(53)
(39)
(162)
(49)
Interest income
3
1
3
2
Interest expense
(4)
(5)
(5)
(5)
Other income (expense), net
(1)
—
(1)
—
Loss before income taxes
(55)
(43)
(165)
(52)
Income tax expense
—
9
—
5
Net loss
(55)
%
(52)
%
(165)
%
(57)
%
Comparison of the Three and Nine Months Ended October 31, 2024 and 2023
Revenue
Three Months Ended October 31,
2024
2023
$ Change
% Change
(dollars in thousands)
Revenue
Subscription
$
221,511
$
143,363
$
78,148
55
%
Maintenance
4,342
8,979
(4,637)
(52)
%
Other
10,325
13,262
(2,937)
(22)
%
Total revenue
$
236,178
$
165,604
$
70,574
43
%
Nine Months Ended October 31,
2024
2023
$ Change
% Change
(dollars in thousands)
Revenue
Subscription
$
585,021
$
379,217
$
205,804
54
%
Maintenance
15,027
31,861
(16,834)
(53)
%
Other
28,396
41,801
(13,405)
(32)
%
Total revenue
$
628,444
$
452,879
$
175,565
39
%
Growth in subscription revenue was driven by growth in Subscription ARR but also benefited from the fiscal 2024 revenue headwind related to the transition to RSC and higher than expected upfront and non-recurring revenue. The higher than expected upfront and non-recurring revenue is due to higher new sales and renewals of RSC-Private from regulated and government verticals in the third quarter of fiscal 2025 as well as the extension of transition licenses to some of our customers, as they progress through their adoption of RSC.
Our Subscription ARR grew from $724.8 million as of October 31, 2023 to $1,002.3 million as of October 31, 2024, representing a 38% increase. Of the increase in Subscription ARR, 2.0 percentage points are a result of transitioning our existing maintenance customers to our subscription editions. A further indication of our ability to expand revenue from existing customers is through our average subscription dollar-based net retention rate which was greater than 120% as of October 31, 2024. We had 2,085 customers with $100,000 or more in Subscription ARR as of October 31, 2024, increasing from 1,581 as of October 31, 2023.
Maintenance revenue associated with sales of perpetual licenses of our legacy CDM product decreased for the three and nine months ended October 31, 2024. Maintenance revenue represented 2% and 5% of total revenue for the three months ended October 31, 2024 and 2023, respectively and 2% and 7% of total revenue for the nine months ended October 31, 2024 and 2023, respectively. We expect the transition of existing maintenance customers adopting RSC subscription offerings to be largely completed by the end of fiscal 2026.
Other revenue, which consists primarily of sales of Rubrik-branded Appliances and professional services, decreased for the three and nine months ended October 31, 2024. Sales of Rubrik-branded Appliances decreased by $2.3 million and $11.2 million for the three and nine months ended October 31, 2024, respectively, as we are transitioning sales of our Rubrik-branded Appliances from us to our contract manufacturers and no longer offer new perpetual licenses. We expect our other revenue as a percentage of total revenue to continue to decrease.
Cost of Revenue
Three Months Ended October 31,
2024
2023
$ Change
% Change
(dollars in thousands)
Cost of revenue
Subscription
$
46,486
$
22,697
$
23,789
105
%
Maintenance
824
1,398
(574)
(41)
%
Other
8,836
9,613
(777)
(8)
%
Total cost of revenue
$
56,146
$
33,708
$
22,438
67
%
Nine Months Ended October 31,
2024
2023
$ Change
% Change
(dollars in thousands)
Cost of revenue
Subscription
$
166,006
$
67,538
$
98,468
146
%
Maintenance
5,473
5,418
55
1
%
Other
35,814
32,033
3,781
12
%
Total cost of revenue
$
207,293
$
104,989
$
102,304
97
%
Cost of subscription revenue increased for the three and nine months ended October 31, 2024 primarily due to the recognition of stock-based compensation expense of $4.6 million and $45.3 million, respectively, after and as a result of the completion of our IPO, an increase in $13.1 million and $36.9 million, respectively, in hosting costs due to the launch and adoption of more SaaS products by our customers, and an increase of $2.6 million and $9.3 million, respectively, from growth in our customer support organization.
Cost of maintenance revenue decreased for the three months ended October 31, 2024 primarily due to a decrease in our customer support organization costs relating to maintenance revenue as we no longer offer new perpetual licenses and as existing maintenance customers adopt RSC subscription offerings. Cost of maintenance revenue increased for the nine months ended October 31, 2024 primarily due to $2.9 million in stock-based compensation expense we recognized after and as a result of the completion of our IPO, partially offset by a $2.6 million decrease in our customer support organization costs relating to maintenance revenue as we no longer offer new perpetual licenses and as existing maintenance customers adopt RSC subscription offerings.
Cost of other revenue decreased for the three months ended October 31, 2024 primarily due to a decrease in Rubrik-branded Appliances costs as we are transitioning the sale of Rubrik-branded Appliances from us to our contract manufacturers. Cost of other revenue increased for the nine months ended October 31, 2024 primarily due to $13.6 million in stock-based compensation expense we recognized after and as a result of the completion of our IPO, partially offset by a decrease in Rubrik-branded Appliances costs of $10.6 million as we are transitioning the sale of Rubrik-branded Appliances from us to our contract manufacturers.
Subscription gross margin decreased for the three and nine months ended October 31, 2024 due to the stock-based compensation expense we recognized after and as a result of the completion of our IPO and an increase in hosting costs associated with our development and launch of more SaaS products.
Maintenance gross margin decreased for the three and nine months ended October 31, 2024 due to the stock-based compensation expense we recognized after and as a result of the completion of our IPO.
Other gross margin decreased for the three and nine months ended October 31, 2024 due to the stock-based compensation expense we recognized after and as a result of the completion of our IPO.
Operating Expenses
Research and Development
Three Months Ended October 31,
2024
2023
$ Change
% Change
(dollars in thousands)
Research and development
$
80,050
$
51,372
$
28,678
56
%
Nine Months Ended October 31,
2024
2023
$ Change
% Change
(dollars in thousands)
Research and development
$
451,657
$
147,400
$
304,257
206
%
Research and development expenses increased for the three and nine months ended October 31, 2024. Employee compensation and related expenses increased by $27.0 million and $299.1 million, respectively, due to $22.9 million and $274.6 million, respectively, of stock-based compensation expense we recognized after and as a result of the completion of our IPO and increases in headcount as we continued to develop new products and enhance the functionalities of our existing products.
Sales and marketing expenses increased for the three and nine months ended October 31, 2024. Employee compensation and related expenses increased by $32.9 million and $338.5 million, respectively, due to $27.2 million and $300.6 million, respectively, of stock-based compensation expense we recognized after and as a result of the completion of our IPO and increases in headcount.
General and Administrative
Three Months Ended October 31,
2024
2023
$ Change
% Change
(dollars in thousands)
General and administrative
$
65,862
$
24,956
$
40,906
164
%
Nine Months Ended October 31,
2024
2023
$ Change
% Change
(dollars in thousands)
General and administrative
$
281,248
$
70,061
$
211,187
301
%
General and administrative expenses increased for the three and nine months ended October 31, 2024. Employee compensation and related expenses increased by $38.3 million and $200.5 million, respectively, due to $35.9 million and $188.6 million, respectively, of stock-based compensation expense we recognized after and as a result of the completion of our IPO and increases in headcount.
Other Non-Operating Income (Expense)
Three Months Ended October 31,
2024
2023
$ Change
% Change
(dollars in thousands)
Interest income
$
7,468
$
2,934
$
4,534
155
%
Interest expense
(10,310)
(9,006)
(1,304)
14
%
Other income (expense), net
(1,333)
104
(1,437)
(1382)
%
Nine Months Ended October 31,
2024
2023
$ Change
% Change
(dollars in thousands)
Interest income
$
17,688
$
8,296
$
9,392
113
%
Interest expense
(31,179)
(20,711)
(10,468)
51
%
Other income (expense), net
(3,406)
(1,574)
(1,832)
116
%
Interest income increased for the three and nine months ended October 31, 2024 due to higher cash, cash equivalents, and investment balances and higher interest rates.
Interest expense increased for the three and nine months ended October 31, 2024 primarily due to our Prior Credit Facility and Amended Credit Facility (each as defined below).
Our income tax expense decreased for the three months ended October 31, 2024 due to the impact of integrating the operations of Laminar during the three months ended October 31, 2023.
Our income tax expense decreased for the nine months ended October 31, 2024 due to the impact of integrating the operations of Laminar during the three months ended October 31, 2023 and several of our foreign subsidiaries making an election in the current year to be treated as U.S. branches for federal income tax purposes effective in fiscal 2024.
Our effective tax rate may fluctuate significantly on a quarterly basis and could be adversely affected to the extent that earnings are lower than anticipated in countries that have lower statutory tax rates and higher than anticipated in countries that have higher statutory tax rates. In addition, tax authorities may challenge our transfer pricing policies, resulting in a higher effective tax rate.
Liquidity and Capital Resources
To date, we have financed our operations principally through private placements of our redeemable convertible preferred stock, our term loan credit facility, and payments received from customers.
In June 2022, we entered into a $195.0 million credit facility (the "Prior Credit Facility"), consisting of initial term loans in an aggregate principal amount of $175.0 million and delayed draw term loan commitments in an aggregate principal amount of $20.0 million. The Prior Credit Facility was scheduled to mature in June 2027. We borrowed the full amount of the initial term loans in June 2022, the proceeds of which were used for general corporate purposes, and subsequently drew approximately $14.5 million of delayed draw term loans to pay accrued quarterly interest payments under the Prior Credit Facility.
In August 2023, we amended and restated the Prior Credit Facility (the "Amended Credit Facility"), to increase the total borrowing capacity thereunder to $330.0 million, consisting of initial term loans in an aggregate principal amount of approximately $289.5 million and delayed draw term loan commitments in an aggregate principal amount of approximately $40.5 million. The Amended Credit Facility will mature in August 2028. We borrowed the full amount of the initial term loans and approximately $4.1 million of delayed draw term loans under the Amended Credit Facility on the closing date of the Amended Credit Facility in order to (i) refinance and replace in full the outstanding term loans under the Prior Credit Facility, (ii) finance the consideration for the acquisition of Laminar, and (iii) pay the accrued quarterly interest under the Prior Credit Facility then due. Borrowings under the Amended Credit Facility will bear interest, at our option, at a rate per annum equal to (i) (x) a base rate equal to the highest of (A) the prime rate as published by The Wall Street Journal, (B) the federal funds rate plus 0.5%, and (C) an adjusted SOFR rate for a one-month interest period plus 1.0% plus (y) a margin of 6.0%, or (ii) an adjusted SOFR rate for a selected interest period plus a margin of 7.0%. We have the option to elect to fund up to 100.0% of the interest payments under the Amended Credit Facility with the incurrence of additional delayed draw term loans, subject to a temporary increase of 0.5% in the annual interest rate due on outstanding term loans for a period of 90 to 180 days from the latest date of incurrence of such additional delayed draw term loans. The annual interest rate on outstanding term loans under the Amended Credit Facility can also decrease by 0.5% if we achieve certain financial targets. In connection with each of the Prior Credit Facility and the Amended Credit Facility, we were also required to pay customary fees for a credit facility of this size and type, including an upfront fee. We have the option to prepay the loans under the Amended Credit Facility at any time subject to a prepayment premium of (i) 1.5% in the first year following the closing of the Amended Credit Facility, (ii) 0.5% in the second year following the closing of the Amended Credit Facility, and (iii) 0.0% thereafter.
In August 2023, we acquired all of the outstanding stock of Laminar, a data security posture management ("DSPM") platform. We accounted for this transaction as a business combination. The acquisition date fair value of the purchase consideration was $104.9 million, of which $90.8 million was paid in cash and the remainder in common stock. The cash consideration of $90.8 million excludes $23.8 million we held back, which is subject to service-based vesting and will be recorded as expense over the period the services are provided. The acquisition of Laminar is intended to support our leadership position as a data security platform provider and help accelerate our cyber posture offerings.
In April 2024, we completed our IPO which resulted in proceeds of approximately $710.3 million, net of underwriting discounts and commissions.
In May 2024, our underwriters exercised their option to purchase an additional 3,472,252 shares of our Class A common stock at the IPO Price of $32.00 per share. We received net proceeds of approximately $104.9 million, net of underwriters’ discounts and commissions.
Our billings grow with new business growth. The majority of our billings are driven by invoicing our customers for multi-year commitments. However, this may evolve as customers have opted to, and may continue to opt to, pay us on an annual or consumption basis based on products purchased due to the growth in our SaaS product offerings. In addition, our billings are subject to seasonality, with billings in the fourth quarter being substantially higher than in the other three quarters. As of October 31, 2024, we had cash, cash equivalents, and short-term investments of $632.0 million. Our cash equivalents and investments primarily consist of money market funds, U.S. treasuries, commercial paper, corporate bonds, and U.S. government agencies securities. We have generated significant operating losses from our operations as reflected in our accumulated deficit of $(2,722.4) million as of October 31, 2024. We expect to continue to incur operating losses, and our operating cash flows may fluctuate between positive and negative amounts for the foreseeable future due to the investments we intend to make as described above. As a result, we may require additional capital resources to execute strategic initiatives to grow our business.
Our principal contractual and other commitments consist of our operating leases for office space that we occupy and data centers, purchase obligations relating primarily to hosting and software and subscription services, and debt, including the quarterly interest payments. There were no significant changes outside the ordinary course of business to our commitments and purchase obligations disclosed in our Final Prospectus for the fiscal year ended January 31, 2024. Refer to Note 7 to our condensed consolidated financial statements included elsewhere in this Quarterly Report on Form 10-Q for a discussion of our debt.
We believe that our existing cash and cash equivalents will be sufficient to fund our operating and capital needs for at least the next 12 months.
Our longer-term future capital requirements will depend on many factors, including our subscription growth rate, subscription renewal activity, including the timing and the amount of cash received from customers, the expansion of sales and marketing activities, the timing and extent of spending to support development efforts, the introduction of new and enhanced products, and the continuing market adoption of our platform. We may in the future enter into arrangements to acquire or invest in complementary businesses, services, and technologies, including intellectual property rights. We continue to assess our capital structure and evaluate the merits of deploying available cash. We may be required to seek additional equity or debt financing. In the event that additional financing is required from outside sources, we may not be able to raise it on terms acceptable to us or at all. If we are unable to raise additional capital when desired, or if we cannot expand our operations or otherwise capitalize on our business opportunities because we lack sufficient capital, our business, financial condition, and operating results would be adversely affected.
The following table summarizes our cash flows for the periods presented:
Our largest source of operating cash is payments received from our customers. We typically invoice our customers in advance for multi-year contracts. Therefore, a substantial source of our cash is from such prepayments, which are included on our condensed consolidated balance sheets in deferred revenue. We generally experience seasonality based on when we enter into agreements with our customers. Given the seasonality in our business, the operating cash flow benefit from increased collections from our customers generally occurs in the subsequent quarter after billing. We expect seasonality, timing of billings, billings terms, and collections from our customers to have a material impact on our cash flow from operating activities from period to period. Our primary uses of cash from operating activities are for employee compensation and related expenses, sales commissions, fees for third-party professional services, colocation and hosting costs, marketing programs, and discretionary cash payments of our debt interest expense pursuant to the terms of our Amended Credit Facility and prepayments of other spend. Our cash flow from operating activities may fluctuate due to the timing of cash payments received from our customers and payments relative to expenses.
For the nine months ended October 31, 2024, net cash used in operating activities of $35.4 million resulted primarily from a net loss of $1,039.9 million, partially offset by $827.9 million of stock-based compensation, $66.4 million of amortization of deferred commissions, $29.1 million for non-cash interest related to debt, $21.5 million for depreciation and amortization, and $62.8 million of net cash inflow from changes in operating assets and liabilities. The net cash inflow from changes in operating assets and liabilities was primarily the result of a $177.0 million increase in deferred revenue from increased billings and a $3.9 million increase in accounts payable. The cash inflow was partially offset by a $90.4 million increase in deferred commissions, a $14.3 million increase in prepaid expense and other assets and a $14.3 million increase in accounts receivable.
For the nine months ended October 31, 2023, net cash used in operating activities of $17.3 million resulted primarily from a net loss of $256.7 million, partially offset by $56.7 million of amortization of deferred commissions, $17.8 million for depreciation and amortization, $10.1 million for non-cash interest related to debt, and $152.4 million of net cash inflow from changes in operating assets and liabilities. The net cash inflow from changes in operating assets and liabilities was primarily the result of a $230.4 million increase in deferred revenue from increased billings, a $13.1 million decrease in accounts receivable and a $5.9 million decrease in prepaid expense and other assets. The cash inflow was partially offset by a $75.8 million increase in deferred commissions and $20.7 million decrease in accrued expenses and other liabilities.
Investing Activities
For the nine months ended October 31, 2024, net cash used in investing activities of $387.6 million resulted from $641.3 million in purchases of investments, $11.3 million in purchases of property and equipment, and $6.9 million in capitalized internal-use software, offset by $271.9 million in proceeds from maturities and sales of investments.
For the nine months ended October 31, 2023, net cash used in investing activities of $122.0 million resulted from $221.6 million in purchases of investments, $90.3 million paid to acquire Laminar, $9.3 million in purchases of property and equipment, and $6.6 million in capitalized internal-use software, offset by $205.8 million in proceeds from maturities and sales of investments.
Financing Activities
For the nine months ended October 31, 2024, net cash provided by financing activities of $396.1 million resulted primarily from $815.2 million in proceeds from our IPO and underwriters' exercise of over-allotment option, net of underwriting discounts and commissions, $11.1 million in proceeds from issuance of common stock under employee stock purchase plan, and $6.6 million from the exercise of stock options, partially offset by $432.5 million in taxes paid related to the net share settlement of equity awards that vested since our IPO, and $3.5 million for payment of deferred offering costs.
For the nine months ended October 31, 2023, net cash provided by financing activities of $96.4 million resulted primarily from $96.5 million in proceeds from the issuance of debt, net of discount and $3.1 million from the exercise of stock options, offset by $2.9 million for payment of deferred offering costs.
Critical Accounting Policies and Estimates
Our condensed consolidated financial statements and related notes thereto included elsewhere in this Quarterly Report on Form 10-Q are prepared in accordance with GAAP. The preparation of these condensed consolidated financial statements requires us to make estimates and assumptions that affect the reported amounts of assets, liabilities, revenue, and expenses as well as related disclosures. We evaluate our estimates and assumptions on an ongoing basis. Our estimates are based on historical experience and various other assumptions that we believe to be reasonable under the circumstances. Our actual results could differ from these estimates.
There have been no material changes to our critical accounting policies and estimates as compared to those described in “Management’s Discussion and Analysis of Financial Condition and Results of Operations” set forth in our Final Prospectus other than what is described below.
Stock-Based Compensation
CEO Performance Award
In June 2022, our board of directors approved a stock option grant to our CEO, Mr. Sinha to purchase up to 8,000,000 shares of Class B common stock. The CEO Performance Award was granted upon our IPO and vests upon the satisfaction of a service-based condition and the achievement of certain stock price goals. We estimated the grant date fair value of the award using the Monte Carlo simulation method which incorporates multiple stock price paths as well as the possibility that the stock price goals may not be satisfied. One of the judgmental assumptions in the Monte Carlo simulation method is the expected volatility of our common stock price. Since we do not have sufficient trading history of our common stock, we estimated the expected volatility at the grant date by using the historical volatility of a group of comparable publicly traded companies over a period equal to the time to expiration of the options. Changes to the volatility may have a material impact on the valuation of CEO Performance Award given the size of the equity award.
Recently Issued Accounting Pronouncements
See Note 2, Basis of Presentation and Summary of Significant Accounting Policies, in the notes to our condensed consolidated financial statements included in Part I, Item I of this Quarterly Report on Form 10-Q for a discussion of recent accounting pronouncements.
JOBS Act Accounting Election
We are an emerging growth company, as defined in the JOBS Act. The JOBS Act provides that an emerging growth company can take advantage of an extended transition period for complying with new or revised accounting standards. This provision allows an emerging growth company to delay the adoption of some accounting standards until those standards would otherwise apply to private companies. We have elected to use the extended transition period under the JOBS Act for the adoption of certain accounting standards until the earlier of the date we (i) are no longer an emerging growth company or (ii) affirmatively and irrevocably opt out of the extended transition period provided in the JOBS Act. As a result, our financial statements may not be comparable to companies that comply with new or revised accounting pronouncements as of public company effective dates.
Item 3. Quantitative and Qualitative Disclosures About Market Risk
We have operations in the United States and internationally, and we are exposed to market risk in the ordinary course of our business.
Interest Rate Risk
As of October 31, 2024, we had cash, cash equivalents, and short-term investments of $632.0 million and restricted cash of $7.2 million. Our cash, cash equivalents, and short-term investments are held for working capital purposes. We do not enter into investments for trading or speculative purposes. Our investments are exposed to market risk due to fluctuations in interest rates, which may affect our interest income. A hypothetical 10% increase or decrease in interest rates would not have a material effect on the fair market value of our portfolio.
Currency Risk
Our reporting currency is the U.S. dollar and the functional currency for all of our foreign subsidiaries are the respective local currencies. All of our sales contracts are denominated in U.S. dollars. A portion of our operating expenses are incurred outside of the United States, denominated in foreign currencies, and subject to fluctuations due to changes in foreign currency exchange rates. Our consolidated results of operations and cash flows are, therefore, subject to fluctuations due to changes in foreign currency exchange rates and may be adversely affected in the future due to changes in foreign exchange rates. To date, we have not entered into any hedging arrangements with respect to foreign currency risk or other derivative financial instruments, although we may choose to do so in the future. We do not believe a 10% increase or decrease in the relative value of the U.S. dollar would have a material impact on our results of operations.
Our management, with the participation of our Chief Executive Officer and Chief Financial Officer, has evaluated the effectiveness of our disclosure controls and procedures as of the end of the period covered by this Quarterly Report on Form 10-Q. The term “disclosure controls and procedures,” as defined in Rules 13a-15(e) and 15d-15(e) under the Securities Exchange Act of 1934, as amended (the "Exchange Act"), means controls and other procedures of a company that are designed to ensure that information required to be disclosed by a company in the reports that it files or submits under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified in the SEC’s rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to provide reasonable assurance that information required to be disclosed by a company in the reports that it files or submits under the Exchange Act is accumulated and communicated to the company’s management, including its principal executive and principal financial officers, or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure. Based on such evaluation, our Chief Executive Officer and Chief Financial Officer concluded that, as of the end of the period covered by this Quarterly Report on Form 10-Q, our disclosure controls and procedures were effective at the reasonable assurance level.
Changes in Internal Control over Financial Reporting
There were no changes in our internal control over financial reporting identified in connection with the evaluation required by Rule 13a-15(d) and 15d-15(d) of the Exchange Act that occurred during the period covered by this Quarterly Report on Form 10-Q that have materially affected, or are reasonably likely to materially affect, our internal control over financial reporting.
Inherent Limitations on Effectiveness of Controls
Our management, including our Chief Executive Officer and Chief Financial Officer, believes that our disclosure controls and procedures and internal control over financial reporting are designed to provide reasonable assurance of achieving their objectives and are effective at the reasonable assurance level. However, management does not expect that our disclosure controls and procedures or our internal control over financial reporting will prevent or detect all errors and all fraud. A control system, no matter how well conceived and operated, can provide only reasonable, not absolute, assurance that the objectives of the control system are met. Because of the inherent limitations in all control systems, no evaluation of controls can provide absolute assurance that all control issues and instances of fraud, if any, within the company have been detected. The design of any system of controls also is based in part upon certain assumptions about the likelihood of future events, and there can be no assurance that any design will succeed in achieving its stated goals under all potential future conditions. Over time, controls may become inadequate because of changes in conditions, or the degree of compliance with the policies or procedures may deteriorate. Because of the inherent limitations in a cost-effective control system, misstatements due to error or fraud may occur and not be detected.
From time to time, we are involved in various legal proceedings arising from activities in the normal course of business. We are not presently a party to any litigation the outcome of which, we believe, if determined adversely to us, would individually or taken together have a material adverse effect on our business, financial condition, results of operations, and cash flows. Defending any legal proceedings is costly and can impose a significant burden on management and employees. The results of any current or future litigation cannot be predicted with certainty, and regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources, and other factors.
Item 1A. Risk Factors
Investing in our Class A common stock involves various risks, including those described below. You should consider and read carefully all of the risks and uncertainties described below, together with all of the other information contained in this Quarterly Report on Form 10-Q, including the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and our unaudited condensed consolidated financial statements and related notes, before making an investment decision. The risks described below are not the only ones we face. The occurrence of any of the following risks or additional risks and uncertainties not presently known to us or that we currently believe to be immaterial could materially and adversely affect our business, financial condition, or results of operations. In such case, the trading price of our Class A common stock could decline, and you may lose some or all of your original investment.
Risks Related to Our Business
Our recent rapid growth may not be indicative of our future growth. Our rapid growth also makes it difficult to evaluate our future prospects.
Our revenue was $628.4 million and $452.9 million for the nine months ended October 31, 2024 and 2023, respectively. You should not rely on the revenue growth of any prior quarterly or annual period as an indication of our future performance. Even if our revenue continues to increase, we expect that our revenue growth rate will fluctuate in the future as a result of a variety of factors, including our transition for new and existing customers to sales of Rubrik Security Cloud ("RSC"), for which an increasing amount of our software revenue will be recognized ratably.
Overall growth of our revenue also depends on a number of factors, including our ability to:
•expand the features and functionality of our data security products as well as increase the amount of data sources protected across enterprise, cloud, and SaaS applications;
•extend our product leadership to expand our addressable market;
•differentiate our data security products from products offered by others;
•successfully develop a substantial sales pipeline for our products;
•hire sufficient sales personnel to support our growth and reduce the time for such personnel to achieve desired productivity levels;
•attract new customers and expand sales to our existing customers, including by effectively marketing and pricing our data security products and successfully transitioning existing customers to RSC;
•increase awareness of our brand on a global basis as a data security company to successfully compete with other companies;
•provide our customers with support that meets their needs;
•effectively leverage and expand our partner ecosystem;
•protect against security incidents;
•successfully protect our intellectual property in the United States and other jurisdictions; and
•expand to new international markets and grow within existing markets.
We may not successfully accomplish any of these objectives, and as a result, it is difficult for us to forecast our future results of operations. If the assumptions that we use to plan our business are incorrect or if we are unable to maintain consistent revenue or revenue growth, our stock price could be volatile and we may not be able to achieve and maintain profitability. You should not rely on our revenue for any prior quarterly or annual periods as any indication of our future revenue or revenue growth.
In addition, we expect to continue to expend substantial financial and other resources on:
•expansion and enablement of our sales, services, and marketing organizations to increase brand awareness and drive adoption of our solutions;
•product development, including investments in our product development team and the development of new products, new features, and functionality for our platform and products;
•our cloud infrastructure technology, including systems architecture, scalability, availability, performance, and security;
•our partner ecosystem;
•international expansion;
•acquisitions or strategic investments;
•our information security program; and
•general administration, including increased legal, human resources, and accounting expenses associated with being a public company.
These investments may not result in increased revenue for our business. If we are unable to maintain or increase our revenue at a rate sufficient to offset the expected increase in our costs, our business, financial condition, and results of operations will be harmed, and we may not be able to achieve or maintain profitability. Additionally, we may encounter unforeseen operating expenses, difficulties, complications, delays, decreased revenue growth associated with general macroeconomic and market conditions, volatility, or disruptions (including the effect of those events on our customers) and other unknown factors that may result in losses in future periods. If our revenue does not meet our expectations in future periods, our business, financial condition, and results of operations may be harmed.
If the market for data security solutions does not grow, our ability to grow our business and our results of operations may be adversely affected.
We believe our future success will depend in large part on the growth, if any, in the market for data security solutions. Traditionally, the cybersecurity industry has been focused on securing information technology infrastructure to prevent, detect, and investigate cyberattacks. Our platform brings a new approach to cybersecurity, which involves protecting our customers’ data across enterprise, cloud, and SaaS applications, observing the data itself to proactively identify emergent threats, remediating data security threats, and recovering protected data following a cybersecurity event. The market for data security solutions, such as our platform and data security products, is at an early stage and rapidly evolving. As such, it is difficult to predict this market’s potential growth, if any, customer adoption and retention rates, customer demand for data security platforms, or the success of competitive products. In the past, customer adoption of our platform and data security products has been driven by the need for data resilience due to increasing ransomware activity. We do not know whether the trends of increasing ransomware activity, or of increasing adoption of our platform and data security products such as ours that we have experienced in the past, will continue in the future. Any expansion in this market depends on a number of factors, including the cost, performance, and perceived value associated with our platform and data security products and similar solutions of our competitors, including preference to manage security with existing infrastructure security tools alone, rather than investing in a platform based data security solution. The markets for some of our solutions are new, unproven, and evolving, and our future success depends on growth and expansion of these markets. If our platform and data security products do not achieve widespread adoption or there is a reduction in demand for our platform and data security products due to a lack of customer acceptance, technological challenges, competing products or solutions, privacy concerns, decreases in corporate spending, weakening economic conditions, or otherwise, it could result in early terminations, reduced customer retention rates, or decreased revenue, any of which would adversely affect our business, financial condition, and results of operations. You should consider our business and growth prospects in light of the risks and difficulties we encounter in this new and evolving market.
We have a limited operating history, particularly with respect to our offering of RSC, which makes it difficult to forecast our future results of operations.
自成立以来,我们在每个时期都经历了净亏损。截至2024年和2023年10月31日的9个月,我们分别产生了净亏损(10.39亿美元)和(256.7)亿美元。截至2024年10月31日和2024年1月31日,我们的累计赤字分别为(27.224亿美元)和(16.825亿美元)。虽然我们在最近几个时期经历了快速的收入增长,但我们不确定我们是否或何时能够获得足够高的销售额,以实现或保持未来的盈利能力。特别是,随着我们扩大我们平台的可用性,提高我们保护多个不同来源的数据的能力,并扩展我们在数据弹性、数据可观察性和数据补救方面的能力,我们实现和保持盈利的能力将高度依赖于我们向新老客户成功营销我们的平台和数据安全产品的能力。我们还预计未来我们的成本和支出将增加,如果我们的收入不增加,这可能会对我们未来的运营结果产生负面影响。特别是,我们打算继续投入大量资金来进一步开发我们的数据安全产品,包括通过推出新的特性和功能以及保护更多的应用程序,并扩大我们的销售、营销和服务团队,以推动新客户采用我们的数据安全产品,扩大现有客户对我们数据安全产品的使用,支持国际扩张,并实施更多系统和流程以有效地扩大运营规模。我们还将面临与增长、计划扩大客户基础和渠道、国际扩张以及上市公司相关的增加的合规成本。此外,我们的数据安全解决方案在第三方供应商提供的公共云基础设施上运行,包括Google Cloud(“GCP”)、Microsoft Azure(“Azure”)和Amazon Web Services(“AWS”),我们的成本和毛利率受到我们能够与这些公共云提供商谈判的价格的显著影响。只要我们能够推动我们的平台和数据安全产品的采用,我们可能会产生与我们的公共云合同相关的成本增加,这将对我们的毛利率产生负面影响。我们发展业务的努力可能比我们预期的成本更高,或者我们收入的增长速度可能比我们预期的要慢,我们可能无法增加足够的收入来抵消增加的运营费用。此外,我们在实施规模化运营的系统和流程方面的努力和投资可能不够或可能没有得到适当的执行。因此,我们未来可能会因多种原因而蒙受重大损失,包括本文所述的其他风险、不可预见的费用、困难、并发症或延误,以及其他未知事件。如果我们无法实现并维持盈利,我们的业务和A类普通股的价值可能会大幅缩水。
Moreover, future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities’ systems and technologies. Furthermore, we may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be increasingly difficult to integrate companies into our information technology environment and security program.
We rely on third parties to provide and/or operate critical business systems, process sensitive information, and to help us deliver services to our customers and their end-users. These third parties process customer information in a variety of contexts, including, without limitation, cloud-based infrastructure, data center facilities, encryption and authentication technology, employee email, content delivery to customers, and other functions. For example, our data security solutions are built to be available on the infrastructure of third-party public cloud providers such as GCP, Azure, and AWS. We may also rely on other third-party service providers, contract manufacturers, and original equipment manufacturers (OEMs), or collectively with contract manufacturers, Manufacturers, to provide other products or services, or otherwise to assist us with operating our business. While we conduct diligence on these third parties, our ability to monitor these third parties’ information security practices is limited, and these third parties may not have adequate information security measures in place. In addition, supply-chain attacks have increased in frequency and severity, and we cannot guarantee that third parties’ infrastructure in our supply chain or our third-party partners’ supply chains have not been or will not be compromised.
We take steps designed to detect, mitigate, and remediate vulnerabilities in our information systems (such as our hardware and/or software, including that of third parties upon which we rely). However, we have been and may be unable to detect and remediate all such vulnerabilities in our information systems (including our platform and data security products) on a timely basis and there can be no assurance that any vulnerability mitigation measures that we implement will be effective. Further, the process for evaluating potential vulnerabilities and developing and deploying remedial measures and patches designed to address identified vulnerabilities has been and may in the future be lengthy and may also be subject to delays, which may result in exploitation of vulnerabilities that results in a security incident.
Any of the previously identified vulnerabilities or cybersecurity threats could cause a security incident or other interruption that could result in unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration, encryption, disclosure of, or access to our Sensitive Information or our information technology systems, or those of the third parties upon whom we rely. A security incident or other interruption could disrupt our ability (and that of third parties upon whom we rely) to provide our platform. Additionally, our business depends upon the appropriate and successful implementation of our platform by our customers. If our customers fail to use our platform according to our specifications or are unwilling or unable to deploy such patches we make available for vulnerabilities effectively or in a timely manner, our customers may suffer a security incident or other interruptions on their own systems or other adverse consequences. Even if such an incident is unrelated to our security practices, it could result in our incurring significant economic and operational costs in investigating, remediating, and implementing additional measures to further protect our customers from their own security issues or vulnerabilities and could result in reputational harm.
Certain data privacy and security obligations may require us to implement and maintain specific industry standard, reasonable security measures to protect our information technology systems and customer information. Additionally, applicable data privacy and security obligations may require us to notify relevant stakeholders, including affected individuals, customers, regulators, and investors, of security incidents, or to implement other requirements, such as providing credit monitoring. Such disclosures, and compliance with such requirements, are costly, and the disclosure or the failure to comply with such requirements could lead to adverse consequences. Though we have expended, and anticipate continuing to expend, significant resources to try to protect against security incidents by implementing technical, administrative, and physical measures designed to protect the privacy and security of data running through our, and our third parties’, systems, it is virtually impossible for us to entirely eliminate the risk of such security incidents or interruptions.
If we (or a third party upon whom we rely) experience a security incident or are perceived to have experienced a security incident, we may experience adverse consequences such as government enforcement actions (for example, investigations, fines, penalties, audits, and inspections); additional reporting requirements and/or oversight; restrictions on processing data (including data about individuals); litigation (including class claims); indemnification obligations; negative publicity; reputational harm; monetary fund diversions; interruptions in our operations (including availability of data); financial loss; and other similar harms. Security incidents and attendant consequences may cause customers to stop purchasing our data security solutions, deter new customers from purchasing our data security solutions, and negatively impact our ability to grow and operate our business. As a data security company, we could be exposed to additional reputational risks should a security incident occur.
Our contracts may not contain limitations of liability, and even where they do, there can be no assurance that limitations of liability in our contracts are sufficient to protect us from liabilities, damages, or claims related to security incidents, vulnerabilities, or our data privacy and security obligations. We cannot be sure that our insurance coverage will be adequate or sufficient to protect us from or to mitigate liabilities arising out of our privacy and security practices, that such coverage will continue to be available on commercially reasonable terms or at all, or that such coverage will pay future claims.
Our use of generative artificial intelligence tools may pose risks to our proprietary software and systems and subject us to legal liability.
We use generative AI tools in our business, and we expect to use generative AI tools in the future, including to generate code and other materials incorporated into our products, proprietary software, and systems, and for other internal and external uses. Generative AI refers to deep-learning models that can generate new data, such as text, images, and other content, by analyzing and emulating existing data. Advanced generative AI tools, which may produce content indistinguishable from that generated by humans, are a relatively novel development, with benefits, risks, and liabilities still unknown. Recent decisions of governmental entities and courts (such as the U.S. Copyright Office, U.S. Patent and Trademark Office, and U.S. Court of Appeals for the Federal Circuit) interpret U.S. copyright and patent law as limited to protecting works and inventions created by human authors and inventors, respectively. We are therefore unlikely to be able to obtain U.S. copyright or patent protection for works or inventions wholly created by a generative AI tool, and our ability to obtain U.S. copyright and patent protection for source code, text, images, inventions, or other materials, which are developed with some use of generative AI tools, may be limited, if available at all. Likewise, the availability of such IP protections in other countries is unclear. In addition, we may have little or no insight into and no control over the content and materials used by vendors to train these generative AI tools. There is ongoing litigation over whether the use of copyrighted materials to train the AI models used in these tools is lawful, and the impact of decisions in such litigation on our use of generative AI tools is unknown. Additionally, our use of third-party generative AI tools to develop source code, text, images, inventions, or other materials may expose us to greater risks than utilizing contracted human developers, as third-party generative AI vendors typically do not provide warranties or indemnities with respect to the output generated by such generative AI tools, and generative AI tools may also hallucinate, providing output that appears correct but is erroneous. Furthermore, some generative AI tools may be offered under terms that do not protect the confidentiality of the prompts or inputs that users submit to such tools and may use prompts or inputs to train shared AI models, potentially resulting in third-party users receiving outputs containing information from prompts or inputs (including confidential, competitive, proprietary, or personal data) that we submitted to the tool. The disclosure and use of personal data in AI technologies is also subject to various privacy laws and other privacy obligations. Prior to implementing a generative AI tool, our AI Governance Committee (including leaders from our Engineering, Product, Legal, and Information Security teams) performs an analysis and review of the tool, including evaluation of potential legal, security, and business risks and steps that can be taken to mitigate any such risks. The selection criteria and analysis include consideration of how use of the generative AI tool could raise issues relating to confidential information, personal data and privacy, customer data and contractual obligations, open source software, copyright and other intellectual property rights, transparency, output accuracy and reliability, and security. Additionally, while we employ practices designed to evaluate, track, and mitigate risk around our use of third-party generative AI tools, our use of such tools may inadvertently violate a third party’s rights, be non-compliant with the applicable terms of use or our other legal obligations, or result in a security or privacy risk or data leakage. Our use of this technology could result in additional compliance costs, regulatory investigations and actions, and lawsuits. For example, we may face claims from third parties claiming infringement of their intellectual property rights or mandatory compliance with open-source software or other license terms with respect to software or other materials or content we believed to be available for use and not subject to license terms or other third-party proprietary rights. Any of these claims could result in legal proceedings and could require us to purchase costly licenses, comply with the requirements of third-party licenses, or limit or cease using the implicated software or other materials or content, unless and until we can re-engineer such software, materials, or content to avoid infringement or change the use of, or remove, the implicated third-party materials, which could reduce or eliminate the value of our technologies and services. Our use of generative AI tools to generate code may also present additional security risks because the generated source code may contain security vulnerabilities. Additionally, the vendors of these generative AI tools may fail to comply with their contractual obligations to us regarding the confidentiality or security of any data or other inputs provided to such vendor or outputs generated by their generative AI tools. Our sensitive information or that of our customers could be leaked, disclosed, or revealed as a result of or in connection with our employees’, personnel’s, or vendors’ use of third-party generative AI technologies.
We may also market our own products as generative AI tools ("Generative AI Products"). Some of our customers, especially those in highly regulated industries, may be reluctant or unwilling to adopt Generative AI Products. Accordingly, adoption of generative AI features in our products and marketing our products as Generative AI Products could reduce or delay customer adoption. Because generative AI models can hallucinate and provide erroneous output, offering Generative AI Products could result in customer dissatisfaction or potentially claims against us arising out of customer reliance on erroneous output to their detriment. Our Generative AI Products may require us to train or fine-tune AI models using datasets collected by us or from third-party vendors. While we have processes and practices designed to ensure that we and any vendors that we use to source training data have the necessary rights to use such datasets for training our Generative AI Products, we may not in every instance be able to confirm that all of the information contained in such datasets has been obtained with the necessary permissions for us to use for purposes of our Generative AI Products. For example, we may use publicly available data to train our Generative AI Products that contains information that was unlawfully acquired from third parties without our knowledge. While we have employed processes designed to help us avoid using any personal data to train or fine-tune our Generative AI Products, it may be difficult for us to avoid or identify all instances where a user might nonetheless submit personal data to our Generative AI Products. Furthermore, if we were to receive claims from third parties asserting rights against our use of certain datasets used to train our Generative AI Products, it may be difficult or impossible for us to disentangle our trained models from the subject matter of the claims.
Several jurisdictions around the globe, including in Europe and certain U.S. states, have proposed, enacted, or are considering laws governing AI tools, including the EU’s AI Act and the Colorado AI Act. We expect other jurisdictions will adopt similar laws. Additionally, certain privacy laws extend rights to consumers (such as the right to delete certain personal data) and regulate automated decision making, which may be incompatible with our use of AI. These obligations may make it harder for us to conduct our business using AI, lead to regulatory fines or penalties, require us to change our business practices, retrain our Generative AI Products, or prevent or limit our use of AI. For example, the FTC has required other companies to delete (or “disgorge”) both the personal data that the FTC alleged were collected in violation of privacy laws as well as the algorithms and other insights that were developed or generated using such data. If we cannot use AI or that use is restricted, our business may be less efficient, or we may be at a competitive disadvantage.
Any of these risks could be difficult to eliminate or manage, and, if not addressed, could adversely affect our business, financial condition, results of operations, and growth prospects.
We expect our revenue mix and certain business factors to impact the amount of revenue recognized period to period, which could make period-to-period revenue comparisons not meaningful and difficult to predict.
We expect our revenue mix to vary over time due to a number of factors, including the timing of when customers adopt RSC and the mix of our subscriptions for different data security products. Our subscription revenue includes revenue from sales of subscription term-based licenses, a portion of which is recognized upfront when we transfer control of the subscription term-based license to the customer, and revenue from sales of SaaS subscriptions and support, which is recognized ratably over the contract period. Due to the proportion of our contracts trending from subscription term-based licenses to SaaS subscriptions, the timing of the migration of our existing customers from Cloud Data Management to RSC, as well as the estimates and assumptions used to account for certain customers’ Subscription Credits (as defined below) related to their Refresh Rights (as defined below), our revenue may fluctuate and period-to-period revenue comparisons may not be meaningful, and our past results may not be indicative of future performance. We cannot be certain how long these factors may persist. For example, as our existing customers prepare to migrate to RSC, we expect certain of them to consume our solutions through a mix of RSC and RCDM-T during which time we will continue recognizing a portion of the associated revenue upfront. These factors make it challenging to forecast our revenue as the mix of solutions and services, the timing of our customers’ RSC transition, as well as the size of contracts, are difficult to predict.
We rely upon third-party cloud providers to host our data security solutions, and any disruption of, or interference with, our use of third-party cloud products would adversely affect our business, financial condition, and results of operations.
Customers of RSC and our other cloud services need to be able to access our data security solutions at any time, without interruption or degradation of performance, and we provide them with service-level commitments with respect to uptime. We leverage third-party cloud providers for substantially all of the infrastructure that supports our data security solutions. Our cloud services depend on the cloud infrastructure hosted by these third-party providers to support our configuration, architecture, features, and interconnection specifications, as well as secure the information stored in these virtual data centers, which is transmitted through third-party internet service providers. Any limitation on the capacity of our third-party hosting providers, including due to technical failures, shifts in product capabilities or licensing models, natural disasters, fraud, or security attacks, could impede our ability to fulfill our current contractual commitments, onboard new customers, or expand the usage of our existing customers, which could adversely affect our business, financial condition, and results of operations.
In addition, third-party cloud providers run their own platforms that we access, and we are, therefore, vulnerable to their service interruptions. We may experience interruptions, delays, and outages in service and availability from time to time as a result of problems with our third-party cloud providers’ infrastructure. Lack of availability of this infrastructure could be due to a number of potential causes that we cannot predict or prevent, including technical failures, natural disasters, fraud, or cyber security attacks. Such outages could lead to the triggering of our service-level commitments and extensions of affected services at no charge to our customers, which may impact our business, financial condition, and results of operations. In addition, if our security, or that of any of these third-party cloud providers, is compromised, our software is unavailable, or our customers are unable to use our software within a reasonable amount of time or at all, our business, financial condition, and results of operations could be adversely affected. In some instances, we may not be able to identify the cause or causes of these performance problems within a period of time acceptable to our customers. It is possible that our customers and potential customers would hold us accountable for any breach of security affecting a third-party cloud provider’s infrastructure, and we may incur significant liability from those customers and from third parties with respect to any breach affecting these systems. We may not be able to recover a material portion of our liabilities to our customers and third parties from a third-party cloud provider. It may also become increasingly difficult to maintain and improve our performance, especially during peak usage times, as our software becomes more complex and the usage of our software increases. Any of the above circumstances or events may harm our business, financial condition, and results of operations.
We may not be able to successfully manage our growth, and if we are not able to grow efficiently, our business, financial condition, and results of operations could be harmed.
As usage and adoption of our platform and data security products grow, we will need to devote additional resources to improving our capabilities, features, and functionality. In addition, we will need to appropriately scale our internal business operations and our services organization to serve our growing customer base. Any failure of or delay in these efforts could result in impaired product performance and reduced customer satisfaction, resulting in decreased sales to new customers, lower average subscription dollar-based net retention rates, or the issuance of service credits or requested refunds, which would hurt our revenue growth and our reputation. Further, any failure in optimizing the costs associated with use of third-party cloud services as we scale could negatively impact our margins. Our expansion efforts will be expensive and complex and will require the dedication of significant management time and attention. We could also face inefficiencies, vulnerabilities, or service disruptions as a result of our efforts to scale our internal infrastructure, which may result in extended outages, loss of customer trust, and harm to our reputation. We cannot be sure that the expansion of and improvements to our internal infrastructure will be effectively implemented on a timely basis, if at all, and such failures could harm our business, financial condition, and results of operations.
The markets in which we participate are competitive, and if we do not compete effectively, our business, financial condition, and results of operations could be harmed.
The data security market is new and intensely competitive, characterized by rapidly changing technology and evolving standards, changing customer requirements, and frequent new product introductions. Our main competitors fall into the following categories:
•Data management and protection vendors, such as Dell-EMC, IBM, Commvault, Veeam, and Cohesity (Cohesity recently announced its proposed acquisition of Veritas' data protection business);
•Cloud and SaaS data management vendors with products that compete in some of our markets; and
•Vendors that provide cyber/ransomware detection and investigation, security posture management, insider threat detection, data classification, and other data security or data governance technologies.
The principal competitive factors in our industry include product functionality, product integration, platform coverage, ability to scale, price, worldwide sales infrastructure, global technical support, labor and development costs, name recognition, and reputation. The ability to converge data security and data management in a cloud architecture is also a significant competitive factor in our industry. If we are unable to address these factors, our competitive position could weaken, and we could experience a decline in revenue that could adversely affect our business.
Many of our current and potential competitors have longer operating histories and have substantially greater financial, technical, sales, marketing, and other resources than we do, as well as larger installed customer bases, greater name recognition, lower labor and development costs, and broader product solutions, including servers. Some of these competitors can devote greater resources to the development, promotion, sale, and support of their data security products than we can. As a result, these competitors may be able to respond more quickly to new or emerging technologies and changes in customer requirements. For example, many of our competitors are investing in AI technology to improve their data security products, which could enable them to respond more quickly to new or emerging threats and changes in customer requirements.
It is also costly and time-consuming to change data management systems. Most of our new or potential customers have already installed data management systems, which gives an incumbent competitor an advantage in retaining a customer due to significant risk to data continuity from switching vendors. The incumbent competitor already understands the data, applications, network infrastructure, user demands, and information technology needs of the customer, such that some customers are reluctant to invest the time, money, and resources necessary to implement configuration, integration, training, and other operational complexities that arise from another vendor. In addition, for any of our existing customers that have not yet transitioned to RSC, any perceived negative impacts or incremental costs associated with the transition to RSC, or a more rapid transition than planned by the customer, may result in customer dissatisfaction and give our competitors an opportunity to acquire these customers.
Our current and potential competitors may establish cooperative relationships among themselves or with third parties or may merge with each other. If so, new competitors, alliances, or merged entities that include our competitors may emerge that could acquire significant market share. In addition, large operating systems, applications, and cloud vendors have introduced products or functionality that include some of the same functions offered by our data security solutions. In the future, further development by these vendors could cause our data security solutions to become redundant, which could seriously harm our business, financial condition, and results of operations.
In addition, we expect to encounter new competitors, including public cloud providers and SaaS companies that build native data security and management solutions, as we expand in current markets or enter new markets. Furthermore, many of our existing competitors are broadening their operating systems platform coverage. We expect that competition will increase as a result of future software industry consolidation. Increased competition could harm our business by causing, among other things, price reductions of our data security solutions, reduced profitability, and loss of market share.
Our estimates of market opportunity, forecasts of market growth, and potential return on investment may prove to be inaccurate, and even if the market in which we compete achieves the forecasted growth, our business could fail to grow at similar rates, if at all.
Market opportunity estimates and growth forecasts, whether obtained from third-party sources or developed internally, are subject to significant uncertainty and are based on assumptions and estimates that may not prove to be accurate. The data security market is at an early stage and is rapidly evolving. As we are working to create a market for data security from other existing markets that focused on other elements of cybersecurity, our market is at an early stage and rapidly evolving. As a result, the size and future growth of this market are difficult to accurately estimate and subject to change. In addition, third-party estimates of the addressable market for the security and data management sectors reflect the opportunity available from all participants and potential participants, and we cannot predict with precision our ability to address this demand or the extent of market adoption of our platform and data security products. Moreover, the market segments we are targeting may grow at different rates. The variables that go into the calculation of our market opportunity are subject to change over time, and there is no guarantee that any particular number or percentage of addressable businesses covered by our market opportunity estimates will purchase our data security solutions or generate any particular level of revenue for us. Any expansion in our market opportunity depends on a number of factors, including the cost, performance, and perceived value associated with our data security solutions and the products of our competitors. Even if the areas in which we compete achieve the forecasted growth, our business could fail to grow at similar rates, if at all.
There are a limited number of contract manufacturers and original equipment manufacturers of commodity servers that are compatible with our data security solutions, and failure to accurately forecast demand for these commodity servers or successfully manage the relationship with such manufacturers could negatively impact the ability to sell our offerings.
A limited number of Manufacturers produce commodity servers that are compatible with our data security solutions. We do not own or operate any manufacturing facilities and rely on these Manufacturers for such products. These Manufacturers manage the supply chain for these products and, alone or together with us or our distributors and resellers ("Channel Partners"), negotiate component costs. Our reliance on Manufacturers and Channel Partners reduces our control over the assembly process, quality assurance, production costs, and product supply. If the relationships with Manufacturers are not properly managed or if Manufacturers experience delays, interruptions, or supply-chain disruptions, including due to international conflicts and geopolitical tensions (such as the imposition of new trade restrictions and tariffs due to escalating tensions, hostilities, or trade disputes), health epidemics or pandemics, new trade laws and regulations, capacity constraints, or quality control problems in their operations, the ability for customers to procure compatible commodity servers could be impaired. If we or our Channel Partners are required to change or qualify a new Manufacturer for any reason, including financial considerations, reduction of manufacturing output made available to us, or the termination of our or our Channel Partners’ contract with the Manufacturers, we may lose revenue, incur increased costs, and our customer relationships may be damaged. In addition, our contract manufacturers may terminate the agreement with us or our Channel Partners with prior notice for reasons such as failure to perform a material contractual obligation.
A large majority of the customer enterprise data we secure relies upon Rubrik-branded Appliances, which are currently built on servers supplied and designed by Super Micro Computer, Inc. ("Supermicro"). If we are unable to manage our relationship with Supermicro effectively, or if Supermicro suffers delays or disruptions for any reason, including due to recent reports of challenges at Supermicro, experiences increased manufacturing lead-times, capacity constraints, or quality control problems in its manufacturing operations, or fails to meet our requirements for timely delivery, or if Supermicro no longer produces the servers for our Rubrik-branded Appliances, our end-customer’s ability to procure Rubrik-branded Appliances in a timely manner would be impaired. While customers would have the ability to purchase compatible third-party commodity servers from other OEMs, and we have the ability to qualify new commodity servers for Rubrik-branded Appliances, this may create increased costs or delays for our customers and impact their customer experience, which could negatively impact our sales and our business. See the section titled “Business—Manufacturing” for additional information regarding our contractual relationship with Supermicro.
Certain of our OEMs carry products that compete with our data security solutions and may not continue producing or supporting compatible commodity servers for our customers in the future. We or our Channel Partners provide forecasts and purchase orders to Manufacturers for compatible commodity servers, and these orders may only be rescheduled or canceled under certain limited conditions. If we inaccurately forecast demand for our data security solutions and need for compatible commodity servers, our Manufacturers may have excess or inadequate inventory, and we may incur cancellation charges or penalties, which could adversely impact our operating results. If we experience increased demand for compatible commodity servers, then we, our Channel Partners, or Manufacturers may need to increase component purchases, contract manufacturing capacity, or internal test and quality functions. Our customers’ orders may represent a relatively small percentage of the overall orders received by Manufacturers from their customers. As a result, fulfilling our customers’ orders may not be considered a priority in the event Manufacturers are constrained in their ability to fulfill all of their customer obligations in a timely manner. Although we are transitioning the sale of Rubrik-branded Appliances from us to our contract manufacturers, if Manufacturers are unable to provide adequate supplies of high-quality products, or if we, our Channel Partners, or Manufacturers are unable to obtain adequate quantities of components, or control the costs of components, it could cause a delay in the fulfillment of our customers’ orders, in which case our business, financial condition, and results of operations could be adversely affected.
If customers have not utilized their Subscription Credits before they expire, this could result in customer dissatisfaction and our future results of operations could be harmed.
The customer enterprise data we secure relies upon compatible hardware. Historically, we sold Rubrik-branded Appliances produced by contract manufacturers to our customers. We started transitioning the sale of Rubrik-branded Appliances from us to our contract manufacturers in fiscal 2023 and offered limited-time incentives ("Subscription Credits"), upon qualification, to certain existing customers in exchange for historically offered rights to next generation Rubrik-branded Appliances at no cost, which we refer to as Refresh Rights. If customers have not utilized their Subscription Credits before they expire, this could result in customer dissatisfaction or a decision not to purchase our data security solutions, which would have an adverse impact on our results of operations.
We rely on the performance of highly skilled personnel, including senior management and engineering, services, sales, and technology professionals. If we are unable to retain or motivate key personnel or hire, retain, and motivate qualified personnel, our business will be harmed.
We believe our success has depended, and continues to depend, on the efforts and talents of our senior management team, particularly Bipul Sinha, our Chairman of our board of directors, Chief Executive Officer, and co-founder, and Arvind Nithrakashyap, our Chief Technology Officer and co-founder, as well as our other key employees in the areas of research and development and sales and marketing.
From time to time, there may be changes in our senior management team or other key employees resulting from the hiring or departure of these personnel. Our executive officers and certain other key employees are employed on an at-will basis, which means that these personnel could terminate their employment with us at any time. The loss of one or more of our executive officers, or the failure by our executive team to effectively work with our employees and lead our company, could harm our business. We also are dependent on the continued service of our existing software engineers because of the complexity of our data security solutions. In addition, a significant portion of our software engineers are located in Palo Alto, California and Bangalore, India. These locations offer access to a deep pool of highly skilled professionals, which is crucial for the development and maintenance of our complex data security solutions. However, this concentration also exposes us to potential continuity risk if these specific locations are negatively impacted by unforeseen events, such as natural disasters, political unrest, or disruptions in critical infrastructure.
In addition, to execute our growth plan, we must attract and retain highly qualified personnel. Competition for these personnel is intense, especially for engineers experienced in designing and developing cloud-based infrastructure products, for experienced sales professionals, and for cybersecurity professionals. If we are unable to attract such personnel at appropriate locations, we may need to hire in new regions, which may add to the complexity and costs of our business operations. From time to time, we have experienced, and we expect to continue to experience, difficulty in hiring and retaining employees with appropriate qualifications. Many of the companies with which we compete for experienced personnel have greater resources than we have. As has occurred in the past, if we hire employees from competitors or other companies, their former employers may attempt to assert that these employees or we have breached certain legal obligations, resulting in a diversion of our time and resources. In addition, prospective and existing employees often consider the value of the equity awards they receive in connection with their employment. If the perceived value of our equity awards declines, experiences significant volatility, or increases such that prospective employees believe there is limited upside to the value of our equity awards, it may adversely affect our ability to recruit and retain employees. If we fail to attract new personnel or fail to retain and motivate our current personnel, our business and growth prospects would be harmed.
We derive substantially all of our revenue from our data security platform. Failure of our platform to satisfy customer demands or achieve continued market acceptance over competitors would harm our business, financial condition, results of operations, and growth prospects.
We derive substantially all of our revenue from our platform, and we have directed, and intend to continue to direct, a significant portion of our financial and operating resources to developing more features and functionality for our platform.
Our growth will depend in large part on our ability to attract new customers and expand sales to existing customers, expand the features and functionality of our platform, hire sufficient sales personnel to support our growth, and decrease the ramp time for our sales personnel. In addition, the success of our business is substantially dependent on the actual and perceived viability, benefits, and advantages of our platform as a preferred provider for data security. As such, market adoption of our platform and data security products is critical to our continued success. Demand for our platform and data security products is affected by a number of factors, including increased market acceptance by new and existing customers, increased activity by or prevalence of cybersecurity bad actors, including the use of ransomware, effectiveness of our sales and marketing strategy, the extension of our platform to new applications and use cases, the timing of development and release of new capabilities by us and our competitors, technological change, and growth or contraction of the market in which we compete. Failure to successfully address or account for these factors, satisfy customer demands, achieve continued market acceptance over competitors, and achieve growth in sales of our data security products would harm our business, financial condition, results of operations, and growth prospects.
We expect fluctuations in our financial results, making it difficult to project future results, and if we fail to meet the expectations of securities analysts or investors with respect to our results of operations, our stock price and the value of your investment could decline.
Our results of operations have fluctuated in the past and are expected to fluctuate in the future due to a variety of factors, many of which are outside of our control. As a result, our past results may not be indicative of our future performance. In addition to the other risks described herein, factors that may affect our results of operations include:
•changes in our revenue mix;
•changes in actual and anticipated growth rates of our revenue, customers, and key operating metrics;
•fluctuations in demand for or pricing of our data security solutions;
•our ability to attract new customers;
•the level of awareness and prevalence of cybersecurity threats, particularly advanced cyberattacks and ransomware attacks;
•timing of our existing customers’ transition to RSC, including the impact on our revenue recognition and customer retention and expansion;
•our ability to retain our existing customers, particularly large customers, and secure renewals of subscriptions, as well as the timing of customer renewals or non-renewals;
•the pricing and quantity of subscriptions renewed, as well as our ability to accurately forecast customer expansions and renewals;
•downgrades in customer subscriptions;
•customers and potential customers opting for alternative data security solutions, including developing their own in-house solutions;
•timing and amount of our investments to expand the capacity of our third-party cloud service providers;
•seasonality in sales, results of operations, and remaining performance obligations;
•investments in new data security products, including protection of new enterprise, cloud, and SaaS applications, new features, and functionality;
•fluctuations or delays in development, release, or adoption of new features and functionality for our data security solutions;
•delays in closing sales, including the timing of renewals, which may result in revenue being pushed into the next fiscal quarter, particularly because a large portion of our sales occur toward the end of each fiscal quarter;
•fluctuations or delays in purchasing decisions in anticipation of new data security products or enhancements by us or our competitors;
•changes in customers’ budgets, the timing of their budget cycles and purchasing decisions, and payment schedules;
•our customers’ ability to procure Rubrik-branded Appliances or compatible commodity servers from Manufacturers;
•the number of qualified customers that elect to utilize their Subscription Credits before they expire;
•our ability to control costs, including hosting costs and our operating expenses;
•the amount and timing of payment for operating expenses, particularly research and development and sales and marketing expenses, including commissions;
•timing of hiring personnel for our research and development and sales and marketing organizations;
•the amount and timing of non-cash expenses, including stock-based compensation expense and other non-cash charges;
•the amount and timing of costs associated with recruiting, educating, and integrating new employees and retaining and motivating existing employees;
•the effects of acquisitions and their integration;
•general economic conditions, both domestically and internationally, as well as economic conditions specifically affecting industries in which our customers participate;
•fluctuations in foreign currency exchange rates;
•the impact of new accounting pronouncements;
•changes in regulatory or legal environments that may cause us to incur, among other things, expenses associated with compliance;
•the impact of changes in tax laws or judicial or regulatory interpretations of tax laws, which are recorded in the period such laws are enacted or interpretations are issued and may significantly affect the effective tax rate of that period and following periods;
•health epidemics or pandemics;
•changes in the competitive dynamics of our market, including consolidation among competitors or customers; and
•significant security incidents related to, technical difficulties with, or interruptions to, the delivery and use of our data security solutions.
Any of these and other factors, or the cumulative effect of some of these factors, may cause our results of operations to vary significantly. If our quarterly results of operations fall below the expectations of investors and securities analysts who follow our stock, the price of our Class A common stock could decline substantially, and we could face costly lawsuits, including securities class action suits.
In addition, while we recognize our SaaS subscription revenue ratably over the term of the subscription, our customers typically pay us for new multi-year subscriptions upfront and then annually upon one-year renewals. Recently, due to the growth in our SaaS product offerings, changes in our customer mix, and the uncertain macroeconomic environment, we have experienced an increase in customers electing annual or consumption payments instead of multi-year upfront payments, which has caused and may continue to cause volatility in our period over period cash flow and may have an adverse effect on our business and results of operations.
Our ability to introduce new data security products and features is dependent on adequate research and development resources and our ability to successfully complete acquisitions. If we do not adequately fund our research and development efforts or complete acquisitions successfully, we may not be able to compete effectively, and our business and results of operations may be harmed.
To remain competitive, we must continue to offer new data security products and enhancements to our platform and existing solutions. This is particularly true as we further expand and diversify our capabilities. Maintaining adequate research and development resources, such as the appropriate personnel and development technology, to meet the demands of the market is essential. If we elect not to or are unable to develop solutions internally due to certain constraints, such as high employee turnover, lack of management ability, or a lack of other research and development resources, we may choose to expand into a certain market or strategy via an acquisition for which we could potentially pay too much or fail to successfully integrate into our operations. Further, many of our competitors expend a considerably greater amount of funds on their respective research and development programs, and those that do not may be acquired by larger companies that would allocate greater resources to our competitors’ research and development programs. Our failure to maintain adequate research and development resources or to compete effectively with the research and development programs of our competitors would give an advantage to such competitors, and our business, financial condition, and results of operations could be adversely affected. Moreover, there is no assurance that our research and development or acquisition efforts will successfully anticipate market needs and result in significant new marketable solutions or enhancements to our solutions, design improvements, cost savings, revenues, or other expected benefits. If we are unable to generate an adequate return on such investments, we may not be able to compete effectively, and our business and results of operations may be adversely affected.
We depend and rely on SaaS technologies from third parties to operate our business, and interruptions or performance problems with these technologies may adversely affect our business and results of operations.
We rely on hosted SaaS applications from third parties in order to operate critical functions of our business, including enterprise resource planning, order management, billing, project management, human resources, technical support, accounting, and other operational activities. If these services become unavailable due to extended outages, interruptions, or because they are no longer available on commercially reasonable terms, our expenses could increase, our ability to manage finances could be interrupted, and our processes for managing sales of our data security solutions and supporting our customers could be impaired until equivalent services, if available, are identified, obtained, and implemented, all of which could adversely affect our business and results of operations.
If we are unable to maintain successful relationships with our Channel Partners and technology alliance partners, or if our Channel Partners or technology alliance partners fail to perform, our ability to market, sell, and distribute our data security solutions will be limited, and our business, financial condition, and results of operations will be harmed.
In addition to our sales force, we rely on our Channel Partners, which include our distributors and resellers, to sell and support our data security solutions. A vast majority of sales of our data security solutions flow through our Channel Partners with the support of our sales force. Our three largest Channel Partners, Arrow Enterprise Computing Solutions, Exclusive Networks, and Ingram Micro Inc., and their respective affiliates collectively generated approximately 79% and 76% of our revenue for fiscal 2023 and fiscal 2024, respectively. Our agreements with our Channel Partners, including our agreements with our three largest Channel Partners, are non-exclusive, renew automatically in one-year term increments, and may be terminated by either party at any time. Further, our Channel Partners fulfill our sales on a purchase order basis and do not impose minimum purchase requirements or related terms on sales. Our Channel Partners enable us to extend our reach, in particular with smaller customers and in geographies where we have less sales presence. Additionally, we have entered, and intend to continue to enter, into technology alliance partnerships with third parties to support our future growth plans. For example, through our alliance with Microsoft Corporation, and along with our mutual go-to-market obligations, we have committed to spend $220 million over the course of up to 10 years for the use of Azure for our data security solutions and preferentially offer public cloud functionality for Azure to our customers.
We derive a substantial amount of our revenue from sales through Channel Partners, and we expect to continue to derive a substantial amount of our revenue from Channel Partners in future periods. Our agreements with our Channel Partners are generally non-exclusive and do not prohibit them from working with our competitors or offering competing products, and many of our Channel Partners may have more established relationships with our competitors. If our Channel Partners choose to place greater emphasis on solutions other than our own, fail to effectively market and sell our data security solutions, or fail to meet the needs of our customers, then our ability to grow our business and sell our data security solutions may be adversely affected. In addition, the loss of one or more of our larger Channel Partners or technology alliance partners, who may cease marketing our data security solutions with limited or no notice, and any inability to replace them, could adversely affect our business, financial condition, and results of operations. Moreover, our ability to expand our distribution channels depends in part on our ability to maintain successful relationships with our Channel Partners and educate and train our current and future Channel Partners about our data security solutions, which can be complex. If we fail to effectively manage our existing sales channels, or if our Channel Partners are unsuccessful in fulfilling the orders for our data security solutions, or if we are unable to enter into arrangements with, and retain a sufficient number of, high quality Channel Partners in each of the regions in which we sell data security solutions and keep them motivated to sell our data security solutions, our business, financial condition, and results of operations will be harmed. Even if we are successful, these relationships may not result in greater customer usage of our data security products or increased revenue. Our ability to influence, or have visibility into, the actions or efforts of our Channel Partners may be limited. If our partners, including our Channel Partners, fail to comply with applicable laws, including anti-corruption, antitrust, or competition laws, or engage in activities that result in or may result in liability, we may also be adversely affected through reputational harm, as well as other negative consequences, including litigation, government investigations and penalties.
In addition, the financial health of our Channel Partners and our continuing relationships with them are important to our success. Some of these Channel Partners may be unable to withstand adverse changes in economic conditions, including the current macroeconomic uncertainty, which could result in insolvency or the inability of such Channel Partners to obtain credit to finance purchases of our data security solutions and services. In addition, weakness in the end-user market could negatively affect the cash flows of our Channel Partners who could, in turn, delay paying their obligations to us, which would increase our credit risk exposure. Our business could be harmed if the financial condition of some of these Channel Partners substantially weakened, and we were unable to timely secure replacement Channel Partners.
If we do not effectively expand and train our sales force, we may be unable to add new customers or retain and increase sales to our existing customers, and our business will be adversely affected.
We depend on our sales force to obtain new customers and retain and increase sales with existing customers. Our ability to achieve significant revenue growth will depend, in large part, on our success in recruiting, training, and retaining sufficient numbers of sales personnel. We have expanded our sales organization significantly in recent periods and expect to continue to add additional sales capabilities in the near term. There is significant competition for sales personnel with the skills and technical knowledge that we require. New hires require significant training and may take significant time before they achieve full productivity, and this delay is accentuated by our long sales cycles. Our recent hires and planned hires may not become productive as quickly as we expect, and we may be unable to hire or retain sufficient numbers of qualified individuals in the markets where we do or plan to do business. In addition, a large percentage of our sales force is new to our company and selling our data security solutions, and therefore, this group may be less effective than our more seasoned sales personnel. Furthermore, hiring sales personnel in new countries, or expanding our existing presence, requires upfront and ongoing expenditures that we may not recover if the sales personnel fail to achieve full productivity. We may also incur additional compensation and training costs for our sales force, including as part of sales incentive realignment, as we work to migrate existing customers to RSC while ensuring retention and expansion. These additional costs may be higher than we expect depending on timing to complete the transition to RSC and any unforeseen challenges that arise, including due to additional costs faced by customers. Moreover, we could face challenges in our ability to retain sales personnel if the migration to RSC results in the loss of existing customers. We cannot predict whether, or to what extent, our sales will increase as we expand our sales force or how long it will take for sales personnel to become productive. If we are unable to hire and train a sufficient number of effective sales personnel, or the sales personnel we hire are not successful in obtaining new customers or retaining and increasing sales to our existing customer base, our business, financial condition, and results of operations will be adversely affected.
Our sales cycles can be long and unpredictable, and our sales efforts require considerable time and expense.
Our revenue may fluctuate because of the length and unpredictability of the sales cycle for our data security solutions, particularly with respect to large organizations and government entities. For example, in light of current macroeconomic conditions, we have observed a lengthening of our sales cycles, which may be attributed to higher cost-consciousness around information technology budgets. Customers often view the subscription to our platform as a significant strategic decision and, as a result, frequently require considerable time to evaluate, test, and qualify our platform, including from a security and privacy perspective, prior to entering into or expanding a relationship with us. Large enterprises and government entities in particular often undertake a significant evaluation process that further lengthens our sales cycle. Additionally, RSC and other SaaS solutions may elongate our sales cycles as a result of additional customer security and privacy evaluations.
Our sales team develops relationships with our customers and works with our Channel Partners on account penetration, account coordination, sales, and overall market development. We spend substantial time and resources on our sales efforts without any assurance that our efforts will produce a sale. Data security product purchases are frequently subject to budget constraints, multiple approvals, and unanticipated administrative, processing, and other delays. As a result, it is difficult to predict whether and when a sale will be completed.
If we fail to adapt and respond effectively to rapidly changing technology, evolving industry standards, changing regulations, or to changing customer needs, requirements, or preferences, our data security solutions may become less competitive.
Our ability to attract new users and customers and increase revenue from existing customers depends in large part on our ability to enhance, improve, and differentiate our existing offering, increase adoption and usage of our data security solutions, and introduce new data security products and capabilities. The market in which we compete is relatively new and subject to rapid technological change, evolving industry standards, and changing regulations, as well as changing customer needs, requirements, and preferences. The success of our business will depend, in part, on our ability to adapt and respond effectively to these changes on a timely basis. Because the market for our data security solutions is relatively new, it is difficult to predict customer adoption, increased customer usage and demand for our data security solutions, the size and growth rate of this market, the entry of competitive products, or the success of existing competitive products. If we are unable to enhance our data security solutions and keep pace with rapid technological change, or if new technologies emerge that are able to deliver competitive products at lower prices, more efficiently, more conveniently, or more securely than our data security solutions, our business, financial condition, and results of operations could be adversely affected.
To remain competitive, we need to continuously modify and enhance our data security solutions to adapt to changes and innovation in existing and new technologies. We expect that we will need to continue to differentiate our data management and data security capabilities, as well as expand and enhance our data security solutions to support a variety of use cases. This development effort will require significant engineering, sales, and marketing resources. Any failure to effectively offer data security solutions for these adjacent use cases could reduce customer demand for our platform. Further, our data security solutions must also integrate with a variety of network, commodity appliance, mobile, cloud, and software platforms and technologies, and we need to continuously modify and enhance our data security solutions to adapt to changes and innovation in these technologies. This development effort may require significant investment in engineering, support, marketing, and sales resources, all of which would affect our business and results of operations. Any failure of our data security solutions to operate effectively with widely adopted data infrastructure platforms, applications, and technologies would reduce the demand for our data security solutions. If we are unable to respond to customer demand in a cost-effective manner, our data security solutions may become less marketable and less competitive or obsolete, and our business, financial condition, and results of operations could be adversely affected.
The competitive position of our data security solutions depends in part on their ability to operate with third-party products and services, including those of our technology alliance partners, and if we are not successful in maintaining and expanding the compatibility of our data security solutions with such products and services, our business may be harmed.
The competitive position of our data security solutions depends in part on their ability to operate with products and services of third parties, including software companies, software services, and infrastructure, and our data security solutions must be continuously modified and enhanced to adapt to changes in commodity appliance, software, networking, browser, and database technologies. In the future, one or more technology companies, whether our technology alliance partners or otherwise, may choose not to support the operation of their software, software services, and infrastructure with our data security solutions, or our data security solutions may not support the capabilities needed to integrate with such software, software services, and infrastructure. In addition, to the extent that a third party was to develop software or services that compete with ours, that provider may choose not to support our offering. We intend to facilitate the compatibility of our platform with various third-party software, software services, and infrastructure offerings by maintaining and expanding our business and technical relationships. If we are not successful in achieving this goal, our business, financial condition, and results of operations may be harmed.
Incorrect or improper implementation or use of our data security solutions could result in customer dissatisfaction and harm our business, financial condition, and results of operations.
Our data security solutions are deployed in a wide variety of IT infrastructures, including large-scale, complex technology environments, and we believe our future success will depend, at least in part, on our ability to support such deployments. Implementations of our data security solutions may be technically complicated, and it may not be easy to maximize the value of our data security solutions without proper implementation, training, and support. Some of our customers have experienced difficulties implementing our data security solutions in the past and may experience implementation difficulties in the future. If we or our customers are unable to implement our data security solutions successfully, customer perceptions of our data security solutions may be impaired, our reputation and brand may suffer, or customers may choose not to renew their subscriptions or purchase additional data security products from us.
Any failure by customers to appropriately implement our data security solutions or any failure of our data security solutions to effectively integrate and operate within our customers’ data management infrastructure could result in customer dissatisfaction, impact the perceived reliability of our data security solutions, result in negative press coverage, negatively affect our reputation, and harm our business, financial condition, and results of operations.
We use third-party open-source software in our data security solutions, which could negatively affect our ability to sell our data security solutions or subject us to litigation or other actions.
Our data security solutions include third-party open-source software, and we intend to continue to incorporate third-party open-source software in our data security solutions in the future. There is a risk that the use of third-party open-source software in our software could impose conditions or restrictions on our ability to monetize our software or require making available the source code of all or part of our software that include, incorporate or rely upon such open-source software. Although we have internal policies in place designed to monitor the incorporation of open-source software into our data security solutions to avoid such restrictions, we cannot be certain that we have not incorporated open-source software in our data security solutions in a manner that is inconsistent with our licensing model or the licensing terms of any such open-source software. Certain open-source projects also incorporate other open-source software and there is a risk that those dependent open-source libraries may be subject to inconsistent licensing terms that affect our ability to use the software. This could create further uncertainties as to the governing terms for the open-source software we incorporate.
In addition, the terms of certain open-source licenses to which we are subject have not been interpreted by U.S. or foreign courts, and there is a risk that open-source software licenses could be construed in a manner that imposes unanticipated restrictions or conditions on our use of such software. Additionally, we may from time to time face claims from third parties claiming ownership of, or demanding release of, the software or derivative works that we developed using such open-source software, which could include proprietary portions of our source code, or otherwise seeking to enforce the terms of the open-source licenses. These claims could result in litigation and could require us to make those proprietary portions of our source code freely available, purchase a costly license or cease offering the implicated software or services unless and until we can re-engineer them to avoid infringement. This re-engineering process could require significant additional research and development resources, and we may not be able to complete it successfully.
In addition to risks related to license requirements, use of third-party open-source software can lead to greater risks than use of third-party commercial software, as open-source licensors generally do not provide warranties. Use of open-source software may also introduce security risks as it may contain security vulnerabilities, and hackers and other third parties may exploit the public availability of such open-source software to determine how to compromise our data security solutions.
In addition, licensors of open-source software included in our data security solutions may, from time to time, modify the terms of their license agreements applicable to any updates in such a manner that those license terms may include restrictions that make the use of such software incompatible with our business, and thus could, among other consequences, prevent us from using or incorporating new updates of such software that are subject to the modified license.
In addition, any source code that we contribute to open-source projects becomes publicly available, subject to the relevant open source license. As a result, our ability to protect some of our intellectual property rights in such source code may be limited or lost entirely, and we would be unable to prevent our competitors or others from using such contributed source code in accordance with the relevant open source license.
Any of these risks could be difficult to eliminate or manage, and if not addressed, could have a negative effect on our business, financial condition, and results of operations.
Our success depends, in part, on the integrity and scalability of our systems and infrastructures. System interruption or delays from third-party data center hosting facilities and the lack of integration, redundancy, and scalability in our systems and infrastructures could impair the delivery of our data security solutions and harm our business.
Our success depends, in part, on our ability to maintain the integrity of our systems and infrastructure, including websites, information, and related systems. System interruption and the lack of integration and sufficient redundancy in our information systems and infrastructures may harm our ability to operate websites, respond to customer inquiries, and generally maintain cost-efficient operations. We may experience occasional system interruptions that make some or all systems or data unavailable or prevent us from efficiently providing data security solutions.
We currently utilize third-party data center hosting facilities located in the United States and internationally. Any damage to, or failure of, the data facilities generally could result in interruptions in our data security solutions. As we continue to add data center hosting facilities and add capacity in our existing data facilities, we may move or transfer our data and our customers’ data. Despite precautions taken during this process, any unsuccessful data transfers may impair the delivery of our data security solutions. We also rely on affiliate and third-party computer systems, broadband, and other communications systems and service providers in connection with the provision of services generally, as well as to facilitate, process, and fulfill transactions. Interruptions in our data security solutions may reduce our revenue, cause us to issue credits or pay penalties, cause customers to terminate their subscriptions or data security solutions contracts, or harm our renewal rates or our ability to attract new customers. Our business will also be harmed if our customers and potential customers believe our data security solutions are unreliable.
Fire, flood, power loss, telecommunications failure, hurricanes, tornadoes, earthquakes, acts of war or terrorism, acts of God, and similar events or disruptions may damage or interrupt computer, broadband, or other communications systems and infrastructures at any time. Any of these events could cause system interruption, delays, and loss of critical data, and could prevent us from providing our data security solutions. While we have backup systems for certain aspects of our operations, disaster recovery planning by its nature cannot be sufficient for all eventualities. In addition, we may not have adequate insurance coverage to compensate for losses from a major interruption. As we continue to expand the number of our customers and data security solutions products available to our customers, we may not be able to scale our technology to accommodate the increased capacity requirements, which may result in interruptions or delays in data security solutions. If any of these events were to occur, it could harm our business, financial condition, and results of operations.
We rely on software licensed from other parties. Defects in or the loss of software from third parties could increase our costs and harm the quality of our data security solutions.
Components of our data security solutions include or rely upon software licensed from third parties. Our business could be disrupted if any of the software we license from others and functional equivalents thereof were either no longer available to us or no longer offered on commercially reasonable terms. In either case, we may be required to either redesign our data security solutions to function with software available from other parties or develop these components ourselves, which would result in increased costs and could result in delays in the release of new data security solutions. Furthermore, we might be forced to limit the features available in our current or future data security solutions. If we fail to maintain or renegotiate any of these software licenses, we could face significant delays and diversion of resources in attempting to license and integrate functional equivalents. While we believe that in most cases there are commercially reasonable alternatives to the third-party software we currently license, this may not always be the case, or it may be time consuming or expensive to replace existing third-party software or find a replacement third-party provider. Our use of additional or alternative third-party software or third-party providers would require us to enter into license agreements with third parties, and we may not be able to enter into such agreements on advantageous terms.
We are subject to governmental export and import controls and economic sanctions laws and regulations that could impair our ability to compete in international markets or subject us to liability and reputational harm if we violate the controls.
Our data security solutions are subject to U.S. export controls, including the Export Administration Regulations, and we incorporate encryption technology into our data security solutions. Our data security solutions and the underlying technology may be exported outside of the United States only in compliance with the required export authorizations, including by license, applicability of a license exception, or other appropriate government authorizations, including the filing of an encryption classification request or self-classification report, as applicable. Obtaining the necessary export license or other authorization for a particular sale may be time-consuming and may result in the delay or loss of sales opportunities.
Furthermore, we are required to comply with economic and trade sanctions laws and regulations of the countries where we do business, including those administered and enforced by the U.S. government (including through the Office of Foreign Assets Control of the U.S. Treasury Department and the U.S. Department of State). These economic and trade sanctions prohibit or restrict the provisions of products and services to embargoed jurisdictions or sanctioned persons, unless otherwise authorized.
While we have taken certain precautions to prevent our data security solutions from being provided in violation of trade controls and are in the process of enhancing our policies and procedures relating to trade controls, our data security solutions may have been in the past, and could in the future be, provided inadvertently and without our knowledge in violation of such laws. Violations of U.S. trade controls can result in significant fines or penalties and possible criminal liability for responsible employees and managers, in addition to potential reputational harm.
If our partners, including our Channel Partners, fail to obtain appropriate import, export, or re-export licenses or permits, we may also be adversely affected through reputational harm, as well as other negative consequences, including government investigations and penalties.
Also, various countries, in addition to the United States, regulate the import and export of certain encryption and other technology, including import and export licensing requirements, and have enacted laws that could limit our ability to distribute our data security solutions or could limit our customers’ ability to implement our data security solutions in those countries. Changes in our data security solutions or future changes in export and import regulations may create delays in the introduction of our data security solutions in international markets, prevent our customers with international operations from deploying our data security solutions globally or, in some cases, prevent the export or import of our data security solutions to certain countries, governments, or persons altogether. From time to time, various governmental agencies have proposed additional regulation of encryption technology.
Any change in export or import regulations, economic sanctions, or related laws or regulations, or change in the countries, governments, persons, or technologies targeted by such regulations, could result in decreased use of our data security solutions by, or in our decreased ability to export or sell our data security solutions to, existing or potential customers with international operations. Any decreased use of our data security solutions or limitation on our ability to export or sell our data security solutions would adversely affect our business, financial condition, results of operations, and growth prospects.
We are subject to anti-corruption, anti-bribery, and similar laws, and non-compliance with such laws can subject us to criminal or civil liability and harm our business, financial condition, and results of operations.
We are subject to the U.S. Foreign Corrupt Practices Act ("FCPA"), U.S. domestic bribery laws, the UK Bribery Act, and other anti-corruption and anti-boycott laws in the countries in which we conduct activities. Anti-corruption and anti-bribery laws have been enforced aggressively in recent years and are interpreted broadly to generally prohibit companies, their employees, and their third-party intermediaries from authorizing, offering, or providing, directly or indirectly, improper payments or benefits to recipients in the public or private sector. As a public company, the FCPA separately requires that we keep accurate books and records and maintain internal accounting controls sufficient to assure management’s control, authority, and responsibility over our assets. As we engage in and increase our international sales and business and sales to the public sector, we may engage with business partners and third-party intermediaries, including Channel Partners, to market and sell our data security solutions and to obtain necessary permits, licenses, and other regulatory approvals. In addition, we or our third-party intermediaries may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities. We can be held liable for the corrupt or other illegal activities of these third-party intermediaries, our employees, representatives, contractors, partners, and agents, even if we do not explicitly authorize such activities.
While we have policies and procedures and conduct training designed to address compliance with such laws, our employees and agents may take actions in violation of our policies and applicable law, for which we may be ultimately held responsible. As we increase our international sales and business, our risks under these laws may increase.
Detecting, investigating, and resolving actual or alleged violations of anti-corruption laws can require a significant diversion of time, resources, and attention from senior management. In addition, noncompliance with anti-corruption, anti-bribery, or anti-boycott laws could subject us to whistleblower complaints, investigations, sanctions, settlements, prosecution, enforcement actions, fines, damages, other civil or criminal penalties or injunctions, suspension, or debarment from contracting with certain persons, reputational harm, adverse media coverage, and other collateral consequences. If any subpoenas or investigations are launched, or governmental or other sanctions are imposed, or if we do not prevail in any possible civil or criminal proceeding, our business, financial condition, and results of operations could be harmed. In addition, responding to any action will likely result in a materially significant diversion of management’s attention and resources and significant defense costs and other professional fees.
Downturns or upturns in our sales may not be immediately reflected in our financial condition and results of operations.
We recognize a significant portion of our revenue ratably over the term of subscriptions to our data security solutions. As a result, any decreases in new subscriptions or renewals in any one period may not immediately be fully reflected as a decrease in revenue for that period but would negatively affect our revenue in future quarters. This also makes it difficult for us to rapidly increase our revenue through the sale of additional subscriptions in any period. If our quarterly results of operations fall below the expectations of investors and securities analysts who follow our stock, the price of our Class A common stock would decline substantially, and we could face costly lawsuits, including securities class actions.
Seasonality may cause fluctuations in our revenue and related metrics.
Historically, we have experienced seasonality in revenue and related metrics, as we typically sell a higher percentage of subscriptions to new customers, and expansion and renewal subscriptions with existing customers in the fourth quarter of our fiscal year. We believe that this results from the procurement, budgeting, and deployment cycles of many of our customers, particularly our enterprise customers. We expect that this seasonality may continue to affect our revenue and related metrics in the future and might become more pronounced as we continue to target enterprise customers.
Our subscription annual recurring revenue ("Subscription ARR"), cloud annual recurring revenue ("Cloud ARR"), and certain other operational data are operating metrics that are subject to assumptions and limitations, including that the factors that impact Subscription ARR will vary from those that impact subscription revenue. As such, these metrics may not provide an accurate indication of our actual performance or our future results.
Subscription ARR, Cloud ARR, and other operational metrics are based on numerous assumptions and limitations, are calculated using our internal data from non-financial systems, have not been independently verified by third parties, and may not accurately reflect actual results nor provide an accurate indication of future or expected results. Further, the definitions and assumptions for these metrics may differ from those calculated by other businesses. Subscription ARR and Cloud ARR are not proxies for revenue or forecasts of revenue, and do not reflect any anticipated reductions in contract value due to contract non-renewals or service cancellations. In addition, the factors that impact Subscription ARR will vary from those that impact subscription revenue in a given period. As a result, Subscription ARR, Cloud ARR, and our other operational data may not accurately reflect our actual performance, and investors should consider these metrics in light of the assumptions and processes used in calculating such metrics and the limitations as a result thereof. Investors should not place undue reliance on these metrics as an indicator of our future or expected results. Moreover, these metrics may differ from similarly titled metrics presented by other companies and may not be comparable to such other metrics. See the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations - Key Business Metrics” for additional information regarding Subscription ARR, Cloud ARR, and other operational metrics.
We will face risks associated with the growth of our business with certain heavily regulated industry verticals.
We market and sell our data security solutions to customers in heavily regulated industry verticals, including the banking, healthcare, and financial services industries. As a result, we face additional regulatory scrutiny, risks, and burdens from the governmental entities and agencies that regulate those industries. Entering new heavily regulated verticals and expanding in those verticals in which we are already operating will continue to require significant resources to address potential regulatory scrutiny, risks, and burdens, and there is no guarantee that such efforts will be successful or beneficial to us. If we are unable to successfully penetrate these verticals, maintain our market share in such verticals in which we already operate, or cost-effectively comply with governmental and regulatory requirements applicable to our activities with customers in such verticals, our business, financial condition, and results of operations may be harmed.
Sales to government entities are subject to a number of challenges and risks.
We sell to U.S. federal, state, and local, as well as foreign governmental agency customers. Sales to such entities are subject to a number of challenges and risks. Selling to such entities can be highly competitive, expensive, and time-consuming, often requiring significant upfront time and expense without any assurance that these efforts will generate a sale. Government contracting requirements may change and in doing so restrict our ability to sell into the government sector until we have obtained any required government certifications. Further, achieving and maintaining government certifications, such as U.S. Federal Risk and Authorization Management Program ("FedRAMP"), certification for our data security solutions, may require significant upfront and ongoing cost, time, and resources. If we do not obtain and maintain FedRAMP certification for our data security solutions, we may not be able to sell certain solutions to the U.S. federal government and public sector customers as well as eligible private sector customers that require such certification for their intended use cases, which could harm our growth, business, and results of operations. This may also harm our competitive position against larger enterprises whose competitive data security solutions are certified. Further, there can be no assurance that we will secure commitments or contracts with government entities even following such certifications, which could harm our margins, business, financial condition, and results of operations. Government demand and payment for our data security solutions are affected by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our data security solutions.
Further, governmental entities may demand contract terms that differ from our standard arrangements and are less favorable than terms agreed with private sector customers. Such entities may have statutory, contractual, or other legal rights to terminate contracts with us or our Channel Partners for convenience or for other reasons. Any such termination may adversely affect our ability to contract with other government customers as well as our reputation, business, financial condition, and results of operations. Governments routinely investigate and audit government contractors’ administrative processes, and any unfavorable audit could result in the government refusing to continue buying our subscriptions, a reduction of revenue, or fines or civil or criminal liability if the audit uncovers improper or illegal activities, which could adversely affect our business, financial condition, results of operations, and reputation.
Our customers also include certain non-U.S. governments, to which government procurement law risks similar to those present in U.S. government contracting also apply, particularly in certain emerging markets where our customer base is less established. In addition, compliance with complex regulations and contracting provisions in a variety of jurisdictions can be expensive and consume significant management resources. In certain jurisdictions, our ability to win business may be constrained by political and other factors unrelated to our competitive position in the market. These difficulties could harm our business, financial condition, and results of operations.
In October 2023, we received a grand jury subpoena from the Department of Justice, U.S. Attorney’s Office for the District of Maryland ("DOJ"), which requested information regarding two specific companies, which we subsequently learned were associated with an employee from one of our sales teams who is no longer with the company and who was indicted by a federal grand jury in the District of Maryland in October 2024 and is being prosecuted by the DOJ. We are fully cooperating with this investigation and have been conducting our own thorough internal investigation. In the course of our internal investigation, we have discovered communications among certain employees within one of our sales teams, including such former Rubrik employee, that relate to potential violations of federal law in connection with government contracts, and are similarly cooperating with the DOJ with respect to these matters. These investigations are ongoing, and we do not know when they will be completed, the entirety of facts we will ultimately discover as a result of the investigations, or what actions the government may or may not take. Because we cannot predict the outcome of these investigations, we are not able to provide an estimate of any possible consequences. A negative outcome in any or all of these matters could cause us to incur substantial fines, penalties, or other financial exposure, as well as reputational harm and exclusion from future contracting with the federal government.
Acquisitions, strategic investments, joint ventures, or alliances could be difficult to identify, pose integration challenges, divert the attention of management, disrupt our business and culture, dilute stockholder value, and adversely affect our business, financial condition, and results of operations.
We have in the past and may in the future seek to acquire or invest in businesses, joint ventures, products and platform capabilities, technologies, or technical know-how that we believe could complement or expand our platform capabilities, enhance our technical capabilities, or otherwise offer growth opportunities. Further, the proceeds we received from the IPO increase the likelihood that we will devote resources to exploring larger and more complex acquisitions and investments than we have previously attempted. Any such acquisition or investment may divert the attention of management and cause us to incur various expenses in identifying, investigating, and pursuing suitable opportunities, whether or not the transactions are completed, and may result in unforeseen operating difficulties and expenditures. In particular, we may encounter difficulties assimilating or integrating the businesses, technologies, products and platform capabilities, personnel, or operations of any acquired companies, particularly if the key personnel of an acquired company choose not to work for us, their software is not easily adapted to work with our data security solutions, or we have difficulty retaining the customers of any acquired business due to changes in ownership, management, or otherwise. These transactions may also disrupt our business, divert our resources, and require significant management attention that would otherwise be available for development of our existing business. We may also have difficulty establishing our company values with personnel of acquired companies, which may negatively impact our culture and work environment. Any such transactions that we are able to complete may not result in any synergies or other benefits we had expected to achieve, which could result in impairment charges that could be substantial. In addition, we may not be able to find and identify desirable acquisition targets or business opportunities or be successful in entering into an agreement with any particular strategic partner. These transactions could also result in dilutive issuances of equity securities or the incurrence of debt, which could adversely affect our results of operations. In addition, if the resulting business from such a transaction fails to meet our expectations, our business, financial condition, and results of operations may be adversely affected, or we may be exposed to unknown risks or liabilities.
Any inability to maintain a high-quality customer support organization could lead to a lack of customer satisfaction, which could hurt our customer relationships and have an adverse effect on our business, financial condition, and results of operations.
Once our data security solutions are deployed, customers rely on our technical support services to assist with service customization and optimization and to resolve certain issues relating to the implementation and maintenance of our data security solutions. Customers also rely on our or our Channel Partners’ support personnel to resolve issues and realize the full benefits that our solutions provide. If we or our Channel Partners do not effectively assist customers in deploying our data security solutions, succeed in helping customers quickly resolve technical issues or provide effective ongoing support, our ability to sell additional data security solutions as part of our platform to existing customers would be adversely affected, and our reputation with potential customers could be damaged.
In addition, our sales process is highly dependent on our product and business reputation and on positive recommendations from existing customers. Any failure to maintain high-quality technical support, or a market perception that we do not maintain high-quality technical support, could adversely affect our reputation, our ability to sell our services to existing and prospective customers, and our business, financial condition, and results of operations.
Our business is subject to the risks of warranty claims and product defects from real or perceived defects in our data security solutions or their misuse by customers or third parties and indemnity provisions in various agreements that potentially expose us to substantial liability for intellectual property infringement and other losses.
We may in the future be subject to liability claims for damages related to undetected defects, errors, or vulnerabilities in our data security solutions. A material liability claim or other occurrence that harms our reputation or decreases market acceptance of our platform could harm our business, financial condition, and results of operations. Although we generally have limitation of liability provisions in our terms and conditions, in rare cases we have agreed to limited exceptions to such liability caps, and such limitation of liability provisions may not fully or effectively protect us from claims as a result of federal, state, or local laws or ordinances, or unfavorable judicial decisions in the United States or other countries.
Moreover, as part of our ransomware recovery warranty (the "Ransomware Recovery Warranty"), we also provide certain customers with up to $10,000,000 for recovery expenses related to data recovery and restoration in the event that data backed up using our solutions cannot be recovered following a ransomware attack. As part of the Ransomware Recovery Warranty, if an eligible customer’s data that has been backed up onto a Rubrik-branded Appliance, Rubrik-certified compatible third-party commodity server, or a Rubrik-hosted cloud platform, is not successfully recovered by way of one of our data security products due to a failure of such solution, we will reimburse the customer for its reasonable and necessary fees and expenses to restore, recover, or recreate its data up to $10,000,000. If many of our customers experience security incidents or other incidents that fall within this program and we are not able to recover their data through our data security solutions, we could be required to pay significant amounts to comply with our obligations under the Ransomware Recovery Warranty. In the event that we are required to regularly provide financial assistance for such recovery activities, and particularly if we have to do so for multiple customers at the same or similar times, this could significantly increase our costs, harm our reputation and brand, and increase the costs to us associated with this warranty program, which could adversely affect our business, financial condition, and results of operations.
Additionally, we typically provide indemnification to customers for certain losses suffered or expenses incurred as a result of third-party claims arising from our infringement of a third party’s intellectual property. We also may be exposed to liability for certain breaches of confidentiality or customer data, as defined in our terms of service which, as a standard practice, are generally subject to caps on liability. We also assume limited liability in the event we breach certain of our terms of service. Certain of these contractual provisions survive termination or expiration of the applicable agreement. We have not received any material indemnification claims from third parties. However, as we continue to grow, the possibility of these claims against us will increase.
If customers or other third parties with whom we do business make intellectual property infringement or other indemnification claims against us, we will incur significant legal expenses and may have to pay damages, license fees, or stop using technology found to be in violation of a third party’s rights. We may also have to seek a license for the technology. Such licenses may not be available on reasonable terms, if at all, and may significantly increase our operating expenses or may require us to restrict our business activities and limit our ability to deliver certain data security solutions or features. We may also be required to develop alternative non-infringing technology, which could either require significant effort and expense or cause us to alter our data security solutions, or both, which could harm our business. Large indemnity obligations, whether for intellectual property or in certain limited circumstances, other claims, would harm our business, financial condition, and results of operations.
Under certain circumstances, our personnel may have access to customer platforms. An employee may take advantage of such access to conduct malicious activities or fail to follow internal policies or make errors that could cause system failures, loss of data, or other adverse effects on our customers. Misuse of our data security solutions by our personnel could result in claims from our customers for damages related to such misuse. Such misuse of our data security solutions could also result in negative press coverage and negatively affect our reputation, which could result in harm to our reputation, business, financial condition, and results of operations. In addition, misuse of our data security solutions could also result in contractual breaches and damages to customers that may assert warranty and other claims for substantial damages against us.
We maintain insurance to protect against certain claims associated with the use of our data security solutions, but our insurance coverage may not adequately cover any claim asserted against us and is subject to deductibles. In addition, even claims that ultimately are unsuccessful could result in our expenditure of funds in litigation, divert management’s time and other resources, and harm our reputation, business, financial condition, and results of operations.
Failure to effectively develop and expand our sales and marketing capabilities or improve the productivity of our sales and marketing organization could harm our ability to expand our potential customer and sales pipeline, increase our customer base, and achieve broader market acceptance of our data security solutions.
Our ability to increase our customer base, achieve broader market adoption and acceptance of our data security solutions, and expand our potential customer and sales pipeline and brand awareness will depend to a significant extent on our ability to expand and improve the productivity of our sales and marketing organization. We plan to continue expanding our sales force, both domestically and internationally. We also plan to dedicate significant resources to sales and marketing programs to decrease the time required for our sales personnel to achieve desired productivity levels, which may be impacted in the short term from our new approach to sales force segmentation. Historically, newly hired sales personnel have needed several quarters to achieve desired productivity levels. Our increased sales and marketing efforts will also involve investing significant financial and other resources, which could result in increased costs and negatively impact margins. We are one of the only providers of a unified data security platform, so we must therefore invest heavily in our sales and marketing functions in order to educate customers and potential customers about our data security solutions. Our business and results of operations will be harmed if our sales and marketing efforts fail to successfully expand our potential customer and sales pipeline, including through increasing brand awareness, new customer acquisition, and market adoption of our platform and data security solutions, particularly for RSC, or fail to generate significant increases in revenue or result in increases that are smaller than anticipated. We may not achieve anticipated revenue growth from expanding our sales force if we are unable to hire, develop, integrate, and retain talented and effective sales personnel, if our new and existing sales personnel, on the whole, are unable to achieve desired productivity levels in a reasonable period of time or at all, or if our sales and marketing programs are not effective.
If we fail to enhance our brand cost-effectively, our ability to expand our customer base will be impaired and our business, financial condition, and results of operations may be adversely affected.
We believe that developing and maintaining awareness of our brand in a cost-effective manner is critical to achieving widespread acceptance of our existing and future data security solutions and is an important element in attracting new customers. In addition, creating brand awareness of our relatively new data security solutions will require added investment in our marketing and branding activities. We believe that the importance of brand recognition will increase as competition in our market increases. Successful promotion of our brand as a provider of data security solutions will depend largely on the effectiveness of our marketing efforts and on our ability to develop and deploy high-quality, reliable, and differentiated data security solutions to our customers. In the past, our efforts to build our brand have involved significant expense. Brand promotion activities may not yield increased revenue, and even if they do, any increased revenue may not offset the expense we incur in building our brand. If we fail to successfully promote and maintain our brand or incur substantial expense in an unsuccessful attempt to promote and maintain our brand, we may fail to attract new customers or retain our existing customers to the extent necessary to realize a sufficient return on our brand-building efforts, and our business, financial condition, and results of operations could be adversely affected.
We have a limited history with pricing models for our data security solutions, and we may need to adjust the pricing terms of our data security solutions, which could have an adverse effect on our revenue and results of operations.
We have limited experience with respect to determining the optimal prices for subscriptions to and renewals of our data security solutions, new subscription editions, and new enterprise, cloud, and SaaS applications. As the market for cloud data security evolves, or as new competitors introduce new products or services that compete with ours, we may be unable to attract new customers. In the past, we have been able to increase our prices for our data security solutions, but we may choose not to introduce or be unsuccessful in implementing future price increases. Furthermore, since we have limited experience pricing RSC, we may be unsuccessful in implementing future price increases and our future pricing power may erode due to changing market dynamics, increased competition, ability to sell to information security teams, or other factors. As a result of these and other factors, in the future we may be required to reduce our prices or be unable to increase our prices, or it may be necessary for us to increase our services or data security solutions without additional revenue to remain competitive, all of which could harm our financial condition and results of operations.
We may require additional capital to support the growth of our business, and this capital might not be available on acceptable terms, if at all.
We have funded our operations since inception primarily through equity financings, sales of our data security solutions, and the utilization of debt products, including our Amended Credit Facility (as described in the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Liquidity and Capital Resources”). We cannot be certain when or if our operations will generate sufficient cash to fully fund our ongoing operations or the growth of our business. We intend to continue to make investments to support our business, which may require us to engage in equity or debt financings to secure additional funds. Additional financing may not be available on terms favorable to us, if at all, particularly during times of market volatility, higher interest rates, inflationary pressures, and general economic instability. If adequate funds are not available on acceptable terms, we may be unable to invest in future growth opportunities, which could harm our business, financial condition, and results of operations. If we incur additional debt, the debt holders would have rights senior to holders of common stock to make claims on our assets, and the terms of any debt could restrict our operations, including our ability to pay dividends on our Class A common stock. Furthermore, if we issue additional equity securities, stockholders will experience dilution, and the new equity securities could have rights senior to those of our Class A common stock. Because our decision to issue securities in the future will depend on numerous considerations, including factors beyond our control, we cannot predict or estimate the amount, timing, or nature of any future issuances of debt or equity securities. As a result, our stockholders bear the risk of future issuances of debt or equity securities reducing the value of our Class A common stock and diluting their interests.
We are exposed to fluctuations in currency exchange rates, which could negatively affect our results of operations.
Our data security solutions are billed in U.S. dollars, and therefore, our revenue is not subject to foreign currency risk. However, a strengthening of the U.S. dollar could increase the real cost of our data security solutions to our customers outside of the United States, which could adversely affect our results of operations. In addition, an increasing portion of our operating expenses are incurred outside the United States. These operating expenses are denominated in foreign currencies and are subject to fluctuations due to changes in foreign currency exchange rates. While we do not currently hedge against the risks associated with currency fluctuations, if our foreign currency risk increases in the future and we are not able to successfully hedge against the risks associated with currency fluctuations, our results of operations could be adversely affected.
Unfavorable conditions in our industry or the global economy, including those caused by the ongoing conflicts around the world, or reductions in technology spending, could limit our ability to grow our business and negatively affect our results of operations.
Global business activities face widespread macroeconomic uncertainties, and our results of operations may vary based on the impact of changes in our industry or the global economy on us or our customers and potential customers. Negative conditions in the general economy both in the United States and abroad, including conditions resulting from changes in gross domestic product growth, financial and credit market fluctuations, inflation and efforts to control further inflation, including rising interest rates, bank failures, international trade relations, political turmoil, including the conflict in Israel and the surrounding area and the ongoing conflict between Russia and Ukraine, potential U.S. federal government shutdowns, natural catastrophes, warfare, and terrorist attacks could cause a decrease in business investments by existing or potential customers, including spending on technology, and negatively affect the growth of our business. As an example, in the United States, capital markets have experienced and continue to experience volatility and disruption. Furthermore, inflation rates in the United States have recently increased to levels not seen in decades. In addition to the foregoing, adverse developments that affect financial institutions, transactional counterparties, or other third parties, such as bank failures or concerns or speculation about any similar events or risks, could lead to market-wide liquidity problems, which in turn may cause third parties, including our customers, to become unable to meet their obligations under various types of financial arrangements as well as general disruptions or instability in the financial markets. Such economic volatility could adversely affect our business, financial condition, results of operations, and cash flows, and future market disruptions could negatively impact us. In particular, we have experienced and may continue to experience longer sales cycles and related negotiations for prospective customers and existing customer expansions, a reduction in multi-year upfront payments for our subscription offerings, reduced contract sizes or generally increased scrutiny on technology spending and budgets from existing and potential customers, due in part to the effects of macroeconomic uncertainty. These customer dynamics may persist in the future, even if macroeconomic conditions improve, and to the extent there is a sustained general economic downturn, a recession, or another situation where technology budgets grow at a slower rate or contract, these customer dynamics may be exacerbated. In addition to the foregoing, we have operations in Israel, which have been affected and may continue to be affected by the ongoing conflict in Israel and the surrounding area, and our growth, business, and results of operations could be further negatively impacted if the current conflict in Israel and the surrounding area continues, worsens, or expands to other nations or regions. Our competitors, many of whom are larger and have greater financial resources than we do, may respond to challenging market conditions by lowering prices in an attempt to attract our customers, which may require us to respond in kind and may negatively impact our existing customer relationships and new customer acquisition strategy. In addition, the increased pace of consolidation in certain industries may result in reduced overall spending on our data security solutions. We cannot predict the timing, strength, or duration of any economic slowdown, instability, or recovery, generally or within any particular industry.
We typically provide service-level commitments under our customer agreements. If we fail to meet these commitments, we could face customer terminations, a reduction in renewals, and damage to our reputation, which would lower our revenue and harm our business, financial condition, and results of operations.
Our agreements with our customers typically provide for service-level commitments relating to service availability. If we fail to meet these commitments, we could be required to extend affected services at no charge and could face customer terminations, or a reduction in renewals, which could significantly affect both our current and future revenue. Any service-level commitment failures could also damage our reputation. The complexity and quality of our customers’ implementation and the performance and availability of cloud services and cloud infrastructure are outside our control, and therefore, we are not in full control of whether we can meet these service-level commitments. Our business, financial condition, and results of operations could be adversely affected if we fail to meet our service-level commitments for any reason. Any extended service outages could adversely affect our business, reputation, and brand.
Sales to enterprise customers involve risks that may not be present or that are present to a lesser extent with respect to sales to smaller organizations.
We are seeing an increasing volume of sales to large, enterprise customers. Sales to enterprise customers and large organizations involve risks that may not be present or that are present to a lesser extent with sales to smaller customers, including the commercial customer segment. These risks include longer sales cycles and negotiations, more complex customer requirements (including audit and other requirements driven by such customers’ regulatory and industry contexts), substantial upfront sales costs, and less predictability in completing some of our sales. For example, enterprise customers may require considerable time to evaluate and test our data security solutions and those of our competitors prior to making a purchase decision and placing an order or may need specialized security features to meet regulatory requirements. A number of factors influence the length and variability of our sales cycle, including the need to educate potential customers about the uses and benefits of our data security solutions, the discretionary nature of purchasing and budget cycles, the macroeconomic uncertainty and challenges and resulting increased technology spending scrutiny, and the competitive nature of evaluation and purchasing approval processes. Since the processes for deployment, configuration, and management of our data security solutions are complex, we are also often required to invest significant time and other resources to train and familiarize potential customers with our data security solutions. Customers may engage in extensive evaluation, testing, and quality assurance work before making a purchase commitment, which increases our upfront investment in sales, marketing, and deployment efforts, with no guarantee that these customers will make a purchase or increase the scope of their subscriptions. In certain circumstances, an enterprise customer’s decision to use our data security solutions may be an organization-wide decision, and therefore, these types of sales require us to provide greater levels of education regarding the use and benefits of our data security solutions. As a result, the length of our sales cycle, from identification of the opportunity to deal closure, has varied, and may continue to vary, significantly from customer to customer, with sales to large enterprises and organizations typically taking longer to complete. Moreover, large enterprise customers often begin to deploy our data security solutions on a limited basis but nevertheless demand configuration, integration services, and pricing negotiations, which increase our upfront investment in the sales effort with no guarantee that these customers will deploy our data security solutions widely enough across their organization to justify our substantial upfront investment.
Given these factors, it is difficult to predict whether and when a sale will be completed and when revenue from a sale will be recognized due to the variety of ways in which customers may purchase our data security solutions. This may result in lower than expected revenue in any given period, which would have an adverse effect on our business, financial condition, and results of operations.
Our intellectual property rights may not adequately protect our business.
To be successful, we must protect our technology, know-how, and brand in the United States and other jurisdictions through trademarks, trade secrets, patents, copyrights, service marks, invention assignments, contractual restrictions, and other intellectual property rights and confidentiality procedures. Despite our efforts to implement these protections, they may not adequately protect our business for a variety of reasons, including:
•our inability to successfully register or obtain patents, trademarks, and other intellectual property rights that sufficiently protect our brand and the full scope of important innovations;
•any inability by us to maintain appropriate confidentiality and other protective measures to establish and maintain our trade secrets;
•uncertainty in, and evolution of, legal standards relating to the validity, enforceability, and scope of protection of intellectual property rights;
•potential invalidation of our intellectual property rights through administrative processes or litigation; and
•other practical, resource, or business limitations on our ability to detect and prevent infringement or misappropriation of our rights and to enforce our rights.
Further, the laws of certain foreign countries, particularly certain developing countries, do not provide the same level of protection of corporate proprietary information and assets, such as intellectual property, including trademarks, trade secrets, know-how, and records, as the laws of the United States and mechanisms for enforcement of intellectual property rights may be inadequate. As a result, we may encounter significant problems in protecting and defending our intellectual property or proprietary rights abroad. Additionally, we may also be exposed to material risks of theft or unauthorized reverse engineering of our proprietary information and other intellectual property, including software source code, designs, specifications, or other sensitive information. Our efforts to enforce our intellectual property rights in such foreign countries may be inadequate to obtain a significant commercial advantage from the intellectual property that we develop, which could have an adverse effect on our business, financial condition, and results of operations. Moreover, if we are unable to prevent the disclosure of our trade secrets to third parties, or if our competitors independently develop any of our trade secrets, we may not be able to establish or maintain a competitive advantage in our market, which could seriously harm our business.
We also contribute to open-source projects. Although we have internal policies and procedures designed to pre-approve the incorporation of any of our source code into open-source projects, any such contribution becomes publicly available, subject to the relevant open source license. As a result, our ability to protect some of our intellectual property rights in such source code may be limited or lost entirely, and we would be unable to prevent our competitors or others from using such contributed source code in accordance with the relevant open source license.
Litigation may be necessary to enforce our intellectual property or proprietary rights, protect our trade secrets, or determine the validity and scope of proprietary rights claimed by others. Any litigation, whether or not resolved in our favor, could result in significant expense to us, divert the time and efforts of our technical and management personnel, and result in counterclaims alleging infringement of intellectual property rights by us or challenging the validity or scope of our intellectual property rights, which may lead to the impairment or loss of portions of our intellectual property. If we are unable to prevent third parties from infringing upon or misappropriating our intellectual property or are required to incur substantial expenses defending our intellectual property rights, our business, financial condition, and results of operations may be adversely affected.
If we are not successful in expanding our operations and customer base internationally, our business and results of operations could be negatively affected.
A component of our growth strategy involves the further expansion of our operations and customer base internationally. Customers outside the United States generated 31% and 32% of our total revenue for fiscal 2023 and fiscal 2024, respectively. We are continuing to adapt to and develop strategies to expand in international markets, but there is no guarantee that such efforts will have the desired effect. For example, we anticipate that we will need to establish relationships with new Channel Partners in order to expand into certain countries, and if we fail to identify, establish, and maintain such relationships, we may be unable to execute on our expansion plans. As of January 31, 2024, approximately 46% of our full-time employees were located outside of the United States, with approximately 26% of our full-time employees located in India. We expect that our international activities will continue to grow for the foreseeable future as we continue to pursue opportunities in existing and new international markets, which will require significant dedication of management attention and financial resources. If we invest substantial time and resources to further expand our international operations and are unable to do so successfully and in a timely manner, our business and results of operations will suffer.
We are subject to stringent and evolving U.S. and foreign laws, regulations, rules, contractual obligations, policies, and other requirements relating to privacy and data security. Our actual or perceived failure to comply with such obligations could lead to regulatory investigations or actions, litigation, fines and penalties, disruptions of our business operations, reputational harm, loss of revenue, loss of customers or sales, and other adverse business consequences.
Due to the nature of the data security services and solutions we provide to our customers, we process various categories of data, including proprietary and confidential business data, trade secrets, intellectual property, data about individuals, and other data considered to be sensitive. Our data processing activities may subject us to numerous obligations relating to privacy and data security, such as various laws, regulations, guidance, industry standards, internal and external privacy and security policies, contractual requirements, and other obligations.
In the United States, federal, state, and local governments have enacted numerous data privacy and data security laws, including data breach notification laws, laws governing information about individuals, and consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act). For example, the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), imposes specific requirements relating to the privacy, security, and transmission of individually identifiable health information. As another example, the California Consumer Privacy Act ("CCPA"), requires businesses to provide specific disclosures in privacy notices, implement new operational practices, and honor requests from California residents to exercise certain privacy rights. The CCPA contains significant potential penalties for noncompliance (up to $7,500 per violation). California has adopted a new law, the California Privacy Rights Act of 2020 ("CPRA"), that substantially expands the CCPA, effective January 1, 2023, including by establishing a new California Privacy Protection Agency and by applying to certain business contact information and employment-related data. Other states also passed comprehensive privacy laws, and similar laws are being considered in many other states as well as at the federal level. These developments may further complicate compliance efforts and may increase legal risk and compliance costs for us, the third parties upon whom we rely, and our customers.
Outside the United States, an increasing number of laws, regulations, and industry standards may apply to our data processing activities. For example, the European Union’s General Data Protection Regulation ("EU GDPR"), the United Kingdom’s General Data Protection Regulation ("UK GDPR"), and Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, or LGPD) (Law No. 13,709/2018) impose strict requirements for processing personal data. Under the EU GDPR, companies may face fines of up to the greater of 20 million Euros or 4% of their global annual revenues, temporary or definitive bans on data processing and other collective action, and private litigation related to the processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. Furthermore, in Europe, there is a proposed regulation related to AI that, if adopted, could impose onerous obligations related to the use of AI-related systems. In Canada, the Personal Information Protection and Electronic Documents Act ("PIPEDA"), and various related provincial laws, as well as Canada’s Anti-Spam Legislation ("CASL"), may apply to our operations. We also have operations in Japan and Singapore and may be subject to new and emerging data privacy regimes in Asia, including Japan’s Act on the Protection of Personal Information and Singapore’s Personal Data Protection Act.
Additionally, we may transfer personal data from Europe and other jurisdictions to the United States or other countries. Europe and other jurisdictions have enacted laws regulating the cross-border transfer of personal data from Europe to other countries, and, in particular, the European Economic Area and the United Kingdom, or UK, have significantly restricted the cross-border transfer of personal data to the United States, unless the entity has achieved compliance under the Data Privacy Framework and is listed as an active participant on the International Trade Administration’s website. Currently, we are a listed participant. However, given historical challenges to similarly positioned frameworks, it is possible that the Data Privacy Framework is invalidated in the future, and we will need to rely on other established transfer mechanisms for cross border transfers. Other jurisdictions may adopt similarly stringent interpretations of their cross-border data transfer laws. Although standard contractual clauses ("SCCs"), and other mechanisms, currently may be used to transfer personal data from the European Economic Area to the United States, these mechanisms are frequently subject to legal challenges, and the efficacy and longevity of such mechanisms for making data transfers from the European Economic Area to the United States remains uncertain. If there is no lawful manner for us to transfer personal data from the European Economic Area or other jurisdictions to the United States, we could face significant consequences, including restricting our operations or relocating part of or all of our business to other jurisdictions and increased exposure to regulatory actions, substantial fines, civil proceedings, and injunctions against processing or transferring personal data, as well as incurring the associated legal and compliance costs. Some European regulators have prevented companies from transferring personal data out of Europe.
In addition to privacy, data protection, and data security laws and regulations, we may be contractually subject to industry standards adopted by industry groups, such as the Payment Card Industry Data Security Standards ("PCI") and may become subject to such obligations in the future. Additionally, the demands our customers place on us relating to privacy, data protection, and data security are becoming more stringent. Data protection laws, such as the EU GDPR, UK GDPR, and CCPA, increasingly require companies to impose specific contractual restrictions on their service providers and contractors. In addition, customers that use certain of our data security solutions to process protected health information may require us to sign business associate agreements that subject us to the privacy and security requirements under HIPAA and HITECH, as well as state laws that govern the privacy and security of health information. Our customers’ increasing data privacy and data security standards also increase the cost and complexity of ensuring that we, and the third parties we rely on to operate our business and deliver our services, can meet these standards. If we, or the third parties on which we rely, are unable to meet our customers’ demands or comply with the increasingly stringent legal or contractual requirements relating to data privacy and data security, we may face increased legal liability, customer contract terminations, and reduced demand for our data security solutions.
Finally, we publish privacy policies, marketing materials, and other statements, such as compliance with certain certifications or self-regulatory principles, as well as other documentation regarding our processing of information about individuals. If these policies, materials, statements, or documentations are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, regulatory enforcement actions, costly legal claims by affected individuals or our customers, or other adverse consequences.
Obligations related to data privacy and data security are quickly changing, becoming increasingly stringent, and creating regulatory uncertainty. Additionally, these obligations may be subject to differing applications and interpretations by regulators and other stakeholders, which may be inconsistent or conflict among jurisdictions. Preparing for and complying with these obligations requires us to devote significant resources. These obligations may necessitate changes to our services, information technologies, systems, and practices and to those of any third parties that process personal data on our behalf. In addition, these obligations may require us to change our business model.
Our business model materially depends on our ability to process personal data, so we are particularly exposed to the risks associated with the rapidly changing legal landscape. We may be at heightened risk of regulatory scrutiny, and any changes in the regulatory framework could require us to fundamentally change our business model. Despite our efforts to comply with applicable data privacy and data security obligations, we may at times fail (or be perceived to have failed) in our efforts to comply. Moreover, despite our efforts, our personnel or third parties on whom we rely may fail to comply with such obligations, which could negatively impact our business operations. If we, or the third parties on which we rely, fail, or are perceived to have failed, to address or comply with applicable data privacy and data security obligations, we could face significant consequences, including but not limited to: government enforcement actions (e.g., investigations, fines, penalties, audits, inspections, and similar); litigation (including class-action claims); additional reporting requirements and/or oversight; bans on processing personal data; orders to destroy or not use information about individuals; and imprisonment of company officials. As a data security company, we could be exposed to additional reputational risks should a data privacy incident occur.
As a result of being a public company, we are obligated to develop and maintain proper and effective internal control over financial reporting, and any failure to maintain the adequacy of these internal controls may adversely affect investor confidence in our company and, as a result, the value of our Class A common stock.
We are required, pursuant to Section 404 of the Sarbanes-Oxley Act of 2002, as amended ("Sarbanes-Oxley Act"), to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting for the fiscal year ending January 31, 2026. This assessment will need to include disclosure of any material weaknesses identified by our management in our internal control over financial reporting. In addition, our independent registered public accounting firm will be required to attest to the effectiveness of our internal control over financial reporting in our first annual report required to be filed with the SEC following the date we are no longer an “emerging growth company.” We have recently commenced the costly and challenging process of compiling the system and processing documentation necessary to perform the evaluation needed to comply with Section 404 of the Sarbanes-Oxley Act ("Section 404"), but we may not be able to complete our evaluation, testing, and any required remediation in a timely fashion once initiated. Our compliance with Section 404 will require that we incur substantial expenses and expend significant management efforts. Although we currently have an internal audit group, we will need to hire additional accounting and financial staff with appropriate public company experience and compile the system and process documentation necessary to perform the evaluation needed to comply with Section 404.
During the evaluation and testing process of our internal controls, if we identify one or more material weaknesses in our internal control over financial reporting, we will be unable to certify that our internal control over financial reporting is effective. We cannot assure you that there will not be material weaknesses or significant deficiencies in our internal control over financial reporting in the future. Any failure to maintain internal control over financial reporting could severely inhibit our ability to accurately report our financial condition or results of operations. If we are unable to conclude that our internal control over financial reporting is effective, or if our independent registered public accounting firm determines we have a material weakness or significant deficiency in our internal control over financial reporting, we could lose investor confidence in the accuracy and completeness of our financial reports, the market price of our Class A common stock could decline, and we could be subject to sanctions or investigations by the SEC or other regulatory authorities. Failure to remedy any material weakness in our internal control over financial reporting, or to implement or maintain other effective control systems required of public companies, could also restrict our future access to the capital markets.
We may become subject to intellectual property disputes, which can be costly and may subject us to significant liability and increased costs of doing business.
We have been and may continue in the future to be subject to intellectual property disputes. In regard to future litigation, our success depends, in part, on our ability to develop and commercialize our data security solutions without infringing, misappropriating, or otherwise violating the intellectual property rights of third parties. However, we may not be aware that our data security solutions are infringing, misappropriating, or otherwise violating third-party intellectual property rights, and such third parties may bring claims against us, our business partners, and our customers alleging such infringement, misappropriation, or violation. Companies in the software industry are often required to defend against litigation claims based on allegations of infringement, misappropriation, or other violations of intellectual property rights. For example, between 2020 and 2021, we were involved in patent disputes with two of our competitors which have since been resolved. However, we may not in all instances be able to obtain a settlement, or proactively defend or ascertain all third-party rights implicated by our business. Further, certain patent holders that own large numbers of patents and other intellectual property, including “non-practicing entities,” often threaten or enter into litigation based on allegations of infringement or other violations of intellectual property rights. Any claims of intellectual property infringement, even those without merit, may be time-consuming and expensive to resolve, divert management’s time and attention, cause us to cease using or incorporating the challenged technology, expose us to other legal liabilities, such as indemnification obligations, or require us to enter into licensing agreements to obtain the right to use a third party’s intellectual property. In addition, many companies have the capability to dedicate substantially greater resources to enforce their intellectual property rights and to defend claims that may be brought against them. Any litigation may also involve patent holding companies or other adverse patent owners that have no relevant product revenue, and therefore, our patents may provide little or no deterrence as we would not be able to assert them against such entities or individuals. If we are found to infringe a third-party’s intellectual property rights and we cannot obtain a license or develop a non-infringing alternative, we would be forced to cease business activities related to such intellectual property. Although we carry general liability insurance, our insurance may not cover potential claims of this type or may not be adequate to indemnify us for all liability that may be imposed. We cannot predict the outcome of lawsuits and cannot ensure that the results of any such actions will not have an adverse effect on our business, financial condition, or results of operations. Any intellectual property litigation to which we might become a party, or for which we are required to provide indemnification, may require us to do one or more of the following:
•cease selling or using data security solutions that incorporate the intellectual property rights that we allegedly infringe, misappropriate, or violate;
•make substantial payments for legal fees, settlement payments, or other costs or damages;
•obtain a license, which may not be available on reasonable terms or at all, to sell or use the relevant technology; or
•redesign the allegedly infringing data security solutions to avoid infringement, misappropriation, or violation, which could be costly, time-consuming, or impossible.
Even if the claims do not result in litigation or are resolved in our favor, these claims, and the time and resources necessary to resolve them, could divert the resources of our management and harm our business and results of operations. Moreover, there could be public announcements of the results of hearings, motions or other interim proceedings or developments, and if securities analysts or investors perceive these results to be negative, it could have a substantial adverse effect on the price of our Class A common stock. We expect that the occurrence of infringement claims is likely to grow as our business grows. Accordingly, our exposure to damages resulting from infringement claims could increase, and this could further exhaust our financial and management resources.
We and our employees have and may continue to be subject to claims alleging violations of our employees’ contractual obligations to their prior employers. These claims may be costly to defend, and if we do not successfully do so, our business could be harmed.
Many of our employees were previously employed at current or potential competitors. Although we have processes to ensure that our employees do not use proprietary information or disclose confidential information from their prior employer in their work for us or otherwise violate their contractual post-employment obligations such as customer and employee non-solicits, we or our employees may still in the future become subject to claims alleging such violations. Litigation may be necessary to defend against these claims. If we fail in defending such claims, in addition to paying monetary damages, we may lose valuable intellectual property rights or personnel. A loss of key personnel or their work product could negatively impact our business. Even if we are successful in defending against these claims, litigation efforts are costly, time-consuming, and a significant distraction to management.
Our company values have contributed to our success. If we cannot maintain these values as we grow, we could lose certain benefits we derive from them, and our employee turnover could increase, which could harm our business.
We believe our culture is driven by our company values which have been and will continue to be a key contributor to our success. Our core company values are:
•Relentlessness. Unyielding will and curiosity to tackle the hardest challenges.
•Integrity. Do what you say and do the right thing.
•Velocity. Drive clarity, decide quickly, and move fast to delight our customers.
•Excellence. Set a high standard and strive for greatness.
•Transparency. Build trust and drive smart decisions through transparent communication.
We have rapidly increased our workforce across all departments, and we expect to continue to hire across our business. Our anticipated headcount growth, combined with our transition from a privately held to a publicly traded company, may result in changes to certain employees’ adherence to our core company values. If we do not continue to maintain our adherence to our company values as we grow, including through any future acquisitions or other strategic transactions, we may experience increased turnover in a portion of our current employee base and may not continue to be successful in hiring future employees. Moreover, following our IPO, many of our employees may be eligible to receive significant proceeds from the sale of common stock in the public markets. This may lead to higher employee attrition rates or disparities in wealth among our employees, which may harm our culture and relations among employees.
We are subject to risks inherent in international operations that can harm our business, financial condition, and results of operations.
Our current and future international business and operations involve a variety of risks, including:
•slower than anticipated availability and adoption of cloud-based data security solutions by international organizations;
•changes in a specific country’s or region’s political or economic conditions;
•the need to adapt and localize our data security solutions for specific countries;
•greater difficulty collecting accounts receivable and longer payment cycles;
•potential changes in trade relations, regulations, or laws;
•unexpected changes in laws, including tax laws, or regulatory requirements;
•more stringent regulations relating to privacy, data security, and data localization requirements and the unauthorized use of, or access to, commercial and personal information;
•differing and potentially more onerous labor regulations, especially in Europe, where labor laws are generally more advantageous to employees as compared to the United States, including deemed hourly wage and overtime regulations in these locations;
•challenges inherent in efficiently managing, and the increased costs associated with, an increased number of employees over large geographic distances, including the need to implement appropriate systems, policies, benefits, and compliance programs that are specific to each jurisdiction;
•difficulties in managing a business in new markets with diverse cultures, languages, customs, legal systems, alternative dispute systems, and regulatory systems;
•increased travel, real estate, infrastructure, and legal compliance costs associated with international operations;
•currency exchange rate fluctuations and the resulting effect on our revenue and expenses, and the cost and risk of entering into hedging transactions if we choose to do so in the future;
•limitations on our ability to reinvest earnings from operations in one country to fund the capital needs of our operations in other countries;
•laws and business practices favoring local competitors or general market preferences for local vendors;
•limited or insufficient intellectual property protection or difficulties obtaining, maintaining, protecting, or enforcing our intellectual property rights, including our trademarks and patents, in the United States or other foreign jurisdictions, such as China;
•political instability, economic sanctions, terrorist activities, or international conflicts, including the conflict in Israel and the surrounding area and the ongoing conflict between Russia and Ukraine, which have in the past and may in the future impact the operations of our business or the businesses of our customers;
•inflationary pressures, such as those the global market is currently experiencing, which may increase costs for certain services;
•health epidemics or pandemics, such as the COVID-19 pandemic;
•exposure to liabilities under anti-corruption and similar laws, including FCPA, U.S. domestic bribery laws, the UK Bribery Act, and similar laws and regulations in other jurisdictions; and
•adverse tax burdens and foreign exchange controls that could make it difficult to repatriate earnings and cash.
The occurrence of any one of these risks could harm our international business and, consequently, our results of operations. Additionally, operating in international markets requires significant management attention and financial resources. We cannot be certain that the investment and additional resources required to operate in other countries will produce desired levels of revenue or profitability.
Changes in tax laws or regulations could harm our financial condition and results of operations.
The tax regimes to which we are subject or under which we operate, including income and non-income taxes, are unsettled in certain respects and may be subject to significant change. Changes in tax laws or regulations, or changes in interpretations of existing laws and regulations, could materially affect our financial condition and results of operations. For example, the Tax Cuts and Jobs Act (the "Tax Act"), the Coronavirus Aid, Relief, and Economic Security Act, and the Inflation Reduction Act made many significant changes to the U.S. tax laws. Effective January 1, 2022, the Tax Act eliminated the option to deduct research and development expenses for tax purposes in the year incurred and instead requires taxpayers to capitalize and subsequently amortize such expenses over five years for research activities conducted in the United States and over 15 years for research activities conducted outside the United States. Although there have been legislative proposals to repeal or defer the capitalization requirement to later years, there can be no assurance that the provision will be repealed or otherwise modified. The Tax Act also includes certain U.S. tax base anti-erosion provisions, the global intangible low-taxed income ("GILTI") provisions, and the base erosion anti-abuse tax ("BEAT") provisions. The GILTI provisions require us to include in our U.S. taxable income foreign subsidiary earnings in excess of an allowable return on the foreign subsidiary’s tangible assets. We currently have no foreign subsidiaries with material earnings. Therefore, this provision currently has no material impact on us. The BEAT provisions apply to companies with average annual gross receipts of $500 million or more for the prior three-year period, eliminate the deduction of certain base-erosion payments made to related foreign corporations, and impose a minimum tax if greater than regular tax. We are evaluating the BEAT rules and do not currently expect the BEAT rules to have a material impact on U.S. tax expense in the near term; however, the potential impact of the BEAT rules on us in the future is not certain.
In addition, our tax obligations and effective tax rate in the jurisdictions in which we conduct business could increase, including as a result of the base erosion and profit shifting ("BEPS") project that is being led by the Organization for Economic Co-operation and Development ("OECD"), and other initiatives led by the OECD or the European Commission. For example, the OECD is leading work on proposals commonly referred to as “BEPS 2.0,” which, if and to the extent implemented, would make important changes to the international tax system. These proposals are based on two “pillars,” involving the reallocation of taxing rights in respect of certain profits of multinational enterprises above a fixed profit margin to the jurisdictions within which they carry on business (subject to certain revenue threshold rules, which we do not currently meet but may meet in the future), referred to as “Pillar One,” and imposing a minimum effective tax rate on certain multinational enterprises, referred to as “Pillar Two.” A number of countries in which we conduct business have enacted with effect from January 1, 2024, or are in the process of enacting, core elements of the Pillar Two rules. Based on our current understanding of the minimum revenue thresholds contained in the Pillar Two proposal, we expect that we are likely to fall within the scope of its rules in the short-to-medium term. The OECD has issued administrative guidance providing transition and safe harbor rules in relation to the implementation of the Pillar Two proposal. We are monitoring developments and evaluating the potential impacts of these new rules, including on our effective tax rates, and considering our eligibility to qualify for these safe harbor rules. As another example, several countries have proposed or enacted taxes applicable to digital services, which could apply to our business.
Due to the large and expanding scale of our international business activities, these types of changes to the taxation of our activities could increase our worldwide effective tax rate, increase the amount of taxes imposed on our business, and increase our compliance costs. Such changes also may apply retroactively to our historical operations and result in taxes greater than the amounts estimated and recorded in our condensed consolidated financial statements. Any of these outcomes could harm our financial position and results of operations.
We could be required to collect additional sales or other indirect taxes or be subject to other tax liabilities in various jurisdictions that may adversely affect our results of operations.
We sell subscriptions and services primarily through a distribution channel, but if we were to begin selling more (or, in respect of certain jurisdictions, any) subscriptions and services directly to end user or non-business customers, we may be adversely impacted because an increasing number of U.S. states and foreign jurisdictions are considering or have adopted laws that impose tax collection obligations on out-of-state companies or on companies with no taxable presence within such jurisdictions. State, local, or foreign governments may interpret existing laws, or have adopted or may adopt new laws, requiring us to calculate, collect and remit taxes on sales in their jurisdictions. A successful assertion by one or more taxing jurisdictions requiring us to collect taxes in jurisdictions in which we do not currently do so or to collect additional taxes in jurisdictions in which we currently collect taxes, could result in substantial tax liabilities, including taxes on past sales, as well as penalties and interest, and additional administrative expenses, which could harm our business. The imposition by state, local, or foreign governments of sales or other indirect tax collection obligations on out-of-state sellers or sellers with no taxable presence within the relevant jurisdiction also could create additional administrative burdens for us, put us at a competitive disadvantage if they do not impose similar obligations on our competitors, and decrease our future sales, which could have an adverse effect on our business and results of operations.
Our ability to use our net operating losses to offset future taxable income may be subject to certain limitations.
As of January 31, 2024, we had net operating loss ("NOL"), carryforwards for federal and state income tax purposes of $672.9 million and $250.9 million, respectively, which may be available to offset taxable income in the future, and portions of which expire in various years beginning in 2037 for federal purposes and 2028 for state purposes if not utilized. Under current law, U.S. federal NOLs incurred in taxable years beginning after December 31, 2017 may be carried forward indefinitely, but such federal NOLs are permitted to be used in any taxable year to offset only up to 80% of taxable income in such year. A lack of future taxable income would adversely affect our ability to utilize certain of these NOLs before they expire. In addition, under Section 382 of the Internal Revenue Code of 1986, as amended (the "Code"), a corporation that undergoes an “ownership change” (as defined under Section 382 of the Code and applicable Treasury Regulations; generally a greater than 50 percentage point change (by value) in its equity ownership by certain stockholders over a three-year period) is subject to limitations on its ability to utilize its pre-change NOLs to offset future taxable income. We have experienced ownership changes under Section 382 of the Code in the past and we may experience additional ownership changes in the future which could affect our ability to utilize our NOLs to offset our income. Similar provisions of state tax law may also apply. Furthermore, our ability to utilize NOLs of companies that we have acquired or may acquire in the future also may be subject to limitations. There is also a risk that due to regulatory changes, such as suspensions on the use of NOLs or other unforeseen reasons, our existing NOLs could expire or otherwise be unavailable to reduce future income tax liabilities, including for state tax purposes. For example, California has suspended the use of California state net operating losses to offset taxable income in tax years beginning after 2023 and before 2027. For these reasons, we may not be able to utilize a material portion of the NOLs reflected on our balance sheet, even if we attain profitability, which could potentially result in increased future tax liability to us and could adversely affect our results of operations and financial condition.
We may be subject to additional tax liabilities, which could adversely affect our results of operations.
We are subject to taxes in the United States in federal, state, and local jurisdictions and in certain foreign jurisdictions in which we operate. The amount of taxes we pay in different jurisdictions depends on the application of the relevant tax laws to our business activities, the relative amounts of income before taxes in the various jurisdictions in which we operate, the application of new or revised tax laws, the interpretation of existing tax laws and policies, the outcome of current and future tax audits, examinations, or administrative appeals, our ability to realize our deferred tax assets, and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. We generally conduct our international operations through subsidiaries and report our taxable income in various jurisdictions worldwide based upon our business operations in those jurisdictions. Our intercompany relationships are subject to complex transfer pricing regulations administered by taxing authorities in various jurisdictions. We may be subject to examination by U.S. federal, state, local, and foreign tax authorities, and such tax authorities may disagree with our tax positions. Our methodologies for pricing intercompany transactions may be challenged, or the taxing authorities in the jurisdictions in which we operate may disagree with our determinations as to the income and expenses attributable to specific jurisdictions or the ownership of certain property acquired or developed pursuant to our intercompany arrangements or property of companies that we have acquired or may acquire in the future. If such a challenge or disagreement were to occur and our position was not sustained, we could be required to pay additional taxes, interest, and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows, and lower overall profitability of our operations. While we regularly assess the likelihood of adverse outcomes from any such examinations and the adequacy of our provision for taxes, there can be no assurance that such provision is sufficient or that a determination by a tax authority would not adversely affect our business, financial condition, and results of operations. The determination of our overall provision for income and other taxes is inherently uncertain because it requires significant judgment with respect to complex transactions and calculations. As a result, fluctuations in our tax liabilities may differ materially from amounts recorded in our financial statements and could adversely affect our business, financial condition, and results of operations in the periods for which such determination is made.
If our estimates or judgments relating to our critical accounting policies prove to be incorrect, our results of operations could be adversely affected.
The preparation of financial statements in conformity with GAAP requires management to make estimates and assumptions that affect the amounts reported in our condensed consolidated financial statements and accompanying notes appearing elsewhere in this Quarterly Report on Form 10-Q. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances, as provided in the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Critical Accounting Policies and Estimates.” The results of these estimates form the basis for making judgments about the carrying values of assets, liabilities and equity, and the amount of revenue and expenses that are not readily apparent from other sources. Significant estimates and judgments involve our common stock valuations prior to the completion of the IPO, the volatility used to determine the grant date fair value of our CEO Performance Award, the identification of the number of performance obligations in our RSC subscription offerings, and our material rights associated with our Refresh Rights and Subscription Credits. Our results of operations may be adversely affected if our assumptions change or if actual circumstances differ from those in our assumptions, which could cause our results of operations to fall below the expectations of securities analysts and investors, resulting in a decline in the market price of our Class A common stock.
Our leverage could adversely affect our financial condition, our ability to raise additional capital to fund our operations, our ability to operate our business, and our ability to react to changes in the economy or our industry, as well as divert our cash flow from operations for debt payments and prevent us from meeting our debt obligations.
We entered into the Amended Credit Facility in August 2023 with Goldman Sachs BDC, Inc., as administrative agent, and the other lenders party thereto, consisting of a $289.5 million term loan and $40.5 million of committed delayed draw term loans. The term loans mature in August 2028, and the interest payments associated with the term loans are due quarterly. The Amended Credit Facility refinanced and replaced the term loan facility we previously entered into in June 2022 with Goldman Sachs BDC, Inc., as administrative agent, and the other lenders party thereto.
Our leverage could have an adverse effect on our business and financial condition, including:
•requiring a substantial portion of cash flow from operations to be dedicated to the payment of principal and interest on our indebtedness, thereby reducing our ability to use our cash flow to fund our operations and capital expenditures and pursue future business opportunities;
•exposing us to increased interest expense, as our degree of leverage may cause the interest rates of any future indebtedness, whether fixed or floating rate interest, to be higher than they would be otherwise;
•making it more difficult for us to satisfy our obligations with respect to our indebtedness, and any failure to comply with the obligations of any of our debt instruments, including restrictive covenants, could result in an event of default that accelerates our obligation to repay indebtedness;
•restricting us from making strategic acquisitions;
•limiting our ability to obtain additional financing for working capital, capital expenditures, product development, satisfaction of debt service requirements, acquisitions, and general corporate or other purposes;
•increasing our vulnerability to adverse economic, industry, or competitive developments; and
•limiting our flexibility in planning for, or reacting to, changes in our business or market conditions and placing us at a competitive disadvantage compared to our competitors who may be better positioned to take advantage of opportunities that our existing indebtedness prevents us from exploiting.
A substantial majority of our existing indebtedness consists of indebtedness under our Amended Credit Facility with Goldman Sachs BDC, Inc., as administrative agent, and the other lenders party thereto, which matures in August 2028. We may not be able to further refinance the existing indebtedness because of the amount of our debt, debt incurrence restrictions under our debt agreements, or adverse conditions in credit markets generally. Our inability to generate sufficient cash flow to satisfy our obligations, or to refinance our indebtedness on commercially reasonable terms or at all, would result in an adverse effect on our business, financial condition, and results of operations.
Furthermore, we may incur significant additional indebtedness in the future. Although the financing documents that govern substantially all of our indebtedness contain restrictions on the incurrence of additional indebtedness and entering into certain types of other transactions, these restrictions are subject to a number of qualifications and exceptions. Additional indebtedness incurred in compliance with these restrictions could be substantial. To the extent we incur additional indebtedness, the significant leverage risks described above would be exacerbated.
The terms of the financing documents governing our term loan and credit facilities restrict our current and future operations, particularly our ability to respond to changes or to take certain actions.
The financing documents governing our credit facilities impose significant operating and financial restrictions on us and may limit our ability to engage in acts that may be in our long-term best interests, including restrictions on our ability to:
•incur or guarantee additional indebtedness;
•pay dividends and make other distributions on, or redeem or repurchase, capital stock;
•make certain investments;
•incur certain liens;
•enter into transactions with affiliates;
•merge or consolidate;
•enter into agreements that restrict the ability of subsidiaries to make certain intercompany dividends, distributions, payments, or transfers; and
•transfer or sell assets, including our intellectual property.
As a result of the restrictions described above, we will be limited as to how we conduct our business, and we may be unable to raise additional debt or equity financing to compete effectively or to take advantage of new business opportunities. The terms of any future indebtedness we may incur could include more restrictive covenants. We cannot assure you that we will be able to maintain compliance with these covenants in the future and, if we fail to do so, that we will be able to obtain waivers from the lenders or amend the covenants.
Our failure to comply with the restrictive covenants described above as well as other terms of our indebtedness or the terms of any future indebtedness we may incur from time to time could result in an event of default, which, if not cured or waived, could result in our being required to repay these borrowings before their due date. If we are forced to refinance these borrowings on less favorable terms or are unable to refinance these borrowings, our business, financial condition, and results of operations could be adversely affected.
The dual class structure of our common stock has the effect of concentrating voting control with the holders of our Class B common stock, including our executive officers, employees, and directors and their affiliates, and limiting your ability to influence corporate matters, which could adversely affect the trading price of our Class A common stock.
Our Class B common stock has 20 votes per share, whereas our Class A common stock has one vote per share. As a result, as of October 31, 2024, holders of our Class B common stock, including our executive officers and directors and their affiliates, together hold approximately 96% of the voting power of our outstanding capital stock, and our directors, executive officers, and principal stockholders beneficially own approximately 49% of our outstanding classes of common stock as a whole, but control approximately 87% of the voting power of our outstanding common stock. As a result, our executive officers, directors, and other affiliates have significant influence over our management and affairs and over all matters requiring stockholder approval, including election of directors and significant corporate transactions, such as a merger or other sale of the company or our assets, for the foreseeable future.
In addition, the holders of Class B common stock collectively will continue to be able to control all matters submitted to our stockholders for approval even if their stock holdings represent less than 50% of the outstanding shares of our common stock. Because of the 20-to-1 voting ratio between our Class B common stock and Class A common stock, the holders of our Class B common stock collectively will continue to control a majority of the combined voting power of our common stock even when the shares of Class B common stock represent as little as 5% of the outstanding shares of our Class A common stock and Class B common stock. This concentrated control will limit your ability to influence corporate matters for the foreseeable future, and, as a result, the market price of our Class A common stock could be adversely affected.
Future transfers by holders of shares of Class B common stock will generally result in those shares converting to shares of Class A common stock, which will have the effect, over time, of increasing the relative voting power of those holders of Class B common stock who retain their shares in the long term.
FTSE Russell does not allow most newly public companies utilizing dual or multi-class capital structures to be included in their indices, including the Russell 2000. Also, in 2017, MSCI, a leading stock index provider, opened public consultations on its treatment of no-vote and multi-class structures and temporarily barred new multi-class listings from certain of its indices; however, in October 2018, MSCI announced its decision to include equity securities “with unequal voting structures” in its indices and to launch a new index that specifically includes voting rights in its eligibility criteria. Under the announced policies, our dual class capital structure would make us ineligible for inclusion in certain indices, and as a result, mutual funds, exchange-traded funds, and other investment vehicles that attempt to passively track these indices will not be investing in our stock. In addition, we cannot assure you that other stock indices will not take similar actions. Given the sustained flow of investment funds into passive strategies that seek to track certain indices, exclusion from certain stock indices would likely preclude investment by many of these funds and would make our Class A common stock less attractive to other investors. As a result, the trading price, volume, and liquidity of our Class A common stock could be adversely affected.
Our stock price may be volatile, and the value of our Class A common stock may decline.
The market price of our Class A common stock may be highly volatile and may fluctuate or decline substantially as a result of a variety of factors, some of which are beyond our control, including:
•actual or anticipated fluctuations in our financial condition or results of operations;
•variance in our financial performance from our forecasts or the expectations of securities analysts;
•changes in our revenue mix;
•changes in the pricing of our data security solutions;
•changes in our projected operating and financial results;
•changes in laws or regulations applicable to our data security solutions;
•announcements by us or our competitors of significant business developments, acquisitions, or new data security solutions;
•significant data breaches, disruptions to, or other incidents involving our data security solutions;
•our involvement in litigation;
•future sales of our Class A common stock by us or our stockholders, as well as the anticipation of lock-up releases;
•changes in senior management or key personnel;
•the trading volume of our Class A common stock;
•changes in the anticipated future size and growth rate of our market;
•rumors and market speculation involving us or other companies in our industry;
•overall performance of the equity markets;
•general political, social, economic, and market conditions, in both domestic and our foreign markets, including effects of increased; and
•interest rates, inflationary pressures, bank failures, and macroeconomic uncertainty and challenges.
Broad market and industry fluctuations, as well as general economic, political, regulatory, and market conditions, may also negatively impact the market price of our Class A common stock. In addition, technology stocks have historically experienced high levels of volatility. In the past, companies that have experienced volatility in the market price of their securities have been subject to securities class action litigation. We may be the target of this type of litigation in the future, which could result in substantial expenses and divert our management’s attention.
Future sales of our Class A common stock in the public market could cause the market price of our Class A common stock to decline.
Sales of a substantial number of shares of our Class A common stock in the public market following our IPO, or the perception that these sales might occur, could depress the market price of our Class A common stock and could impair our ability to raise capital through the sale of additional equity securities. Many of our equity holders who held our capital stock prior to completion of the IPO have substantial unrecognized gains on the value of the equity they hold based upon the price at which shares were sold in our IPO, and therefore, they may take steps to sell their shares or otherwise secure the unrecognized gains on those shares. We are unable to predict the timing of or the effect that such sales may have on the prevailing market price of our Class A common stock.
All of our directors, executive officers, and the holders of substantially all of our common stock outstanding and securities exercisable for or convertible into our common stock, have entered into lock-up agreements with the underwriters and/or agreements with market stand-off provisions that restrict our and their ability to sell or transfer shares of our capital stock and securities convertible into or exercisable or exchangeable for shares of our capital stock, for the period ending on the date on which an open trading window period commences following our release of earnings for the quarter ending July 31, 2024, or the Lock-up Period, subject to certain customary exceptions and certain provisions that provide for the release of certain shares of our common stock. In addition, Goldman Sachs & Co. LLC may release any of the securities subject to these lock-up agreements at any time, subject to the applicable notice requirements.
In addition, as of October 31, 2024, there were 9,985,332 shares of Class B common stock issuable upon the exercise of options and 22,573,802 restricted stock units ("RSUs"), to be settled in shares of our Class B common stock. We have registered all of the shares of common stock issuable upon exercise of outstanding options, the vesting and settlement of outstanding RSUs, and other equity incentives we may grant in the future, for public resale under the Securities Act. The shares of common stock will become eligible for sale in the public market to the extent such options are exercised or RSUs are vested and settled, subject to the lock-up agreements described above and compliance with applicable securities laws.
Further, certain holders of our common stock have rights, subject to some conditions, to require us to file registration statements covering the sale of their shares or to include their shares in registration statements that we may file for ourselves or other stockholders.
Our issuance of additional capital stock in connection with financings, acquisitions, investments, our equity incentive plans, or otherwise will dilute all other stockholders.
We expect to issue additional capital stock in the future that will result in dilution to all other stockholders. We expect to grant equity awards to employees, directors, and consultants under our equity incentive plans. We may also raise capital through equity financings in the future. As part of our business strategy, we may acquire or make investments in companies, products, or technologies and issue equity securities to pay for any such acquisition or investment. Any such issuances of additional capital stock may cause stockholders to experience significant dilution of their ownership interests and the per share value of our Class A common stock to decline.
We do not intend to pay dividends for the foreseeable future and, as a result, your ability to achieve a return on your investment will depend on appreciation in the price of our Class A common stock.
We have never declared or paid any cash dividends on our capital stock, and we do not intend to pay any cash dividends in the foreseeable future. Any determination to pay dividends in the future will be at the discretion of our board of directors. In addition, our Amended Credit Facility contains restrictions on our ability to pay cash dividends on our Class A Common Stock. Additionally, our ability to pay dividends may be further restricted by agreements we may enter into in the future. Accordingly, you may need to rely on sales of our Class A common stock after price appreciation, which may never occur, as the only way to realize any future gains on your investment.
We are an “emerging growth company,” and we cannot be certain if the reduced reporting and disclosure requirements applicable to emerging growth companies will make our Class A common stock less attractive to investors.
We are an “emerging growth company,” as defined in the JOBS Act, and we may take advantage of certain exemptions from various reporting requirements that are applicable to other public companies that are not “emerging growth companies,” including the auditor attestation requirements of Section 404, reduced disclosure obligations regarding executive compensation in our periodic reports and proxy statements, and exemptions from the requirements of holding a nonbinding advisory vote on executive compensation and stockholder approval of any golden parachute payments not previously approved. Pursuant to Section 107 of the JOBS Act, as an emerging growth company, we have elected to use the extended transition period for complying with new or revised accounting standards until those standards would otherwise apply to private companies. As a result, our condensed consolidated financial statements may not be comparable to the financial statements of issuers who are required to comply with the effective dates for new or revised accounting standards that are applicable to public companies, which may make our Class A common stock less attractive to investors. In addition, if we cease to be an emerging growth company, we will no longer be able to use the extended transition period for complying with new or revised accounting standards.
We will remain an emerging growth company until the first to occur of: (1) the last day of the year following the fifth anniversary of our IPO; (2) the last day of the first year in which our annual gross revenue is $1.235 billion or more; (3) the date on which we have, during the previous rolling three-year period, issued more than $1.0 billion in non-convertible debt securities; and (4) the date we qualify as a “large accelerated filer,” with at least $700 million of equity securities held by non-affiliates.
We cannot predict if investors will find our Class A common stock less attractive if we choose to rely on these exemptions. For example, if we do not adopt a new or revised accounting standard, our future results of operations may not be as comparable to the results of operations of certain other companies in our industry that adopted such standards. If some investors find our Class A common stock less attractive as a result, there may be a less active trading market for our Class A common stock, and our stock price may be more volatile.
We incur significant costs as a result of operating as a public company, and our management is required to devote substantial time to compliance with our public company responsibilities and corporate governance practices.
As a public company, we incur significant legal, accounting, and other expenses that we did not incur as a private company, which we expect to further increase after we are no longer an “emerging growth company.” The Sarbanes-Oxley Act, the Dodd-Frank Wall Street Reform and Consumer Protection Act, the listing requirements of the New York Stock Exchange, and other applicable securities rules and regulations impose various requirements on public companies. Our management and other personnel devote a substantial amount of time to compliance with these requirements. Moreover, these rules and regulations have increased our legal and financial compliance costs and have made some activities more time-consuming and costly. We cannot predict or estimate the amount of additional costs we will incur as a public company or the specific timing of such costs.
Anti-takeover provisions in our charter documents and under Delaware law could make an acquisition of our company more difficult, limit attempts by our stockholders to replace or remove our current management, and limit the market price of our Class A common stock.
Provisions in our amended and restated certificate of incorporation and amended and restated bylaws may have the effect of preventing a change of control or changes in our management. Our amended and restated certificate of incorporation and amended and restated bylaws include provisions that:
•authorize our board of directors to issue, without further action by the stockholders, shares of undesignated preferred stock with terms, rights, and preferences determined by our board of directors that may be senior to our Class A common stock;
•require that any action to be taken by our stockholders be effected at a duly called annual or special meeting and not by written consent;
•specify that special meetings of our stockholders can be called only by our board of directors, the chairperson of our board of directors, our chief executive officer, or our president (in the absence of a chief executive officer);
•establish an advance notice procedure for stockholder proposals to be brought before an annual meeting, including proposed nominations of persons for election to our board of directors;
•establish that our board of directors is divided into three classes, with each class serving three-year staggered terms;
•prohibit cumulative voting in the election of directors;
•provide that our directors may be removed for cause only upon the vote of at least 66 2/3% of our outstanding shares of voting stock;
•provide that vacancies on our board of directors may be filled only by the affirmative vote of a majority of directors then in office, even though less than a quorum, or by a sole remaining director; and
•require the approval of our board of directors or the holders of at least 66 2/3% of our outstanding shares of voting stock to amend our bylaws and certain provisions of our certificate of incorporation.
These provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our board of directors, which is responsible for appointing the members of our management. In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law, which generally, subject to certain exceptions, prohibits a Delaware corporation from engaging in any of a broad range of business combinations with any “interested” stockholder for a period of three years following the date on which the stockholder became an “interested” stockholder. Any of the foregoing provisions could limit the price that investors might be willing to pay in the future for shares of our Class A common stock, and they could deter potential acquirers of our company, thereby reducing the likelihood that holders of our Class A common stock would receive a premium for their shares of our Class A common stock in an acquisition.
Our amended and restated certificate of incorporation designates the Court of Chancery of the State of Delaware and the federal district courts of the United States of America as the exclusive forums for certain disputes between us and our stockholders, which restricts our stockholders’ ability to choose the judicial forum for disputes with us or our directors, officers, or employees.
Our amended and restated certificate of incorporation provides that the Court of Chancery of the State of Delaware (or, if and only if the Court of Chancery of the State of Delaware lacks subject matter jurisdiction, any state court located within the State of Delaware or, if and only if all such state courts lack subject matter jurisdiction, the federal district court for the District of Delaware) is the sole and exclusive forum for the following types of actions or proceedings under Delaware statutory or common law: (i) any derivative action or proceeding brought on our behalf; (ii) any action or proceeding asserting a claim of breach of a fiduciary duty owed by any of our current or former directors, officers, or other employees to us or our stockholders, or any action asserting a claim for aiding and abetting such breach of fiduciary duty; (iii) any action or proceeding asserting a claim against us or any of our current or former directors, officers or other employees arising out of or pursuant to any provision of the Delaware General Corporation Law, our amended and restated certificate of incorporation or our amended and restated bylaws; (iv) any action or proceeding to interpret, apply, enforce or determine the validity of our amended and restated certificate of incorporation or our amended and restated bylaws (including any right, obligation, or remedy thereunder); (v) any action or proceeding as to which the Delaware General Corporation Law confers jurisdiction to the Court of Chancery of the State of Delaware; and (vi) any action or proceeding asserting a claim against us or any of our current or former directors, officers, or other employees that is governed by the internal affairs doctrine, in all cases to the fullest extent permitted by law and subject to the court’s having personal jurisdiction over the indispensable parties named as defendants. This provision does not apply to suits brought to enforce a duty or liability created by the Securities Exchange Act of 1934, as amended (the" Exchange Act"), or any other claim for which the federal courts have exclusive jurisdiction. In addition, to prevent having to litigate claims in multiple jurisdictions and the threat of inconsistent or contrary rulings by different courts, among other considerations, our amended and restated certificate of incorporation provides that, unless we consent in writing to the selection of an alternative forum, to the fullest extent permitted by law, the federal district courts of the United States of America are the exclusive forum for resolving any complaint asserting a cause of action arising under the Securities Act, including all causes of action asserted against any defendant named in such complaint. For the avoidance of doubt, this provision is intended to benefit and may be enforced by us, our officers and directors, the underwriters to any offering giving rise to such complaint, and any other professional entity whose profession gives authority to a statement made by that person or entity and who has prepared or certified any part of the documents underlying the offering. However, as Section 22 of the Securities Act creates concurrent jurisdiction for federal and state courts over all suits brought to enforce any duty or liability created by the Securities Act or the rules and regulations thereunder, there is uncertainty as to whether a court would enforce such provision. Our amended and restated certificate of incorporation further provides that any person or entity holding, owning, or otherwise acquiring any interest in any of our securities shall be deemed to have notice of and consented to these provisions. Investors also cannot waive compliance with the federal securities laws and the rules and regulations thereunder.
These choice of forum provisions may limit a stockholder’s ability to bring a claim in a judicial forum that it finds favorable for disputes with us or our directors, officers, or other employees. While the Delaware courts have determined that such choice of forum provisions are facially valid, a stockholder may nevertheless seek to bring such a claim arising under the Securities Act against us, our directors, officers, or other employees in a venue other than in the federal district courts of the United States of America. In such instance, we would expect to vigorously assert the validity and enforceability of the exclusive forum provisions of our amended and restated certificate of incorporation. This may require significant additional costs associated with resolving such action in other jurisdictions and we cannot assure you that the provisions will be enforced by a court in those other jurisdictions. If a court were to find either exclusive-forum provision in our amended and restated certificate of incorporation to be inapplicable or unenforceable in an action, we may incur further significant additional costs associated with resolving the dispute in other jurisdictions, all of which could harm our business.
If securities or industry analysts do not publish research or publish unfavorable or inaccurate research about our business, the market price and trading volume of our Class A common stock could decline.
The market price and trading volume of our Class A common stock is heavily influenced by the way analysts interpret our financial information and other disclosures. We do not have control over these analysts. If industry analysts cease coverage of us, our stock price would be negatively affected. If securities or industry analysts do not publish research or reports about our business, downgrade our Class A common stock, or publish negative reports about our business, our stock price would likely decline. If one or more of these analysts cease coverage of us or fail to publish reports on us regularly, demand for our Class A common stock could decrease, which might cause our stock price to decline and could decrease the trading volume of our Class A common stock.
General Risk Factors
Any future litigation against us could be costly and time-consuming to defend.
We have in the past been and in the future may become subject to legal proceedings and claims that arise in the ordinary course of business, such as intellectual property claims, including trade secret misappropriation and breaches of confidentiality terms, alleged breaches of non-competition or non-solicitation terms, or employment claims made by our current or former employees. Litigation might result in substantial costs and may divert management’s attention and resources, which might seriously harm our business, financial condition, and results of operations. Insurance might not cover such claims, might not provide sufficient payments to cover all the costs to resolve one or more such claims, and might not continue to be available on terms acceptable to us. A claim brought against us that is uninsured or underinsured could result in unanticipated costs, potentially harming our business, financial condition, and results of operations.
Our business could be disrupted by catastrophic events.
Occurrence of any catastrophic event, including earthquake, fire, flood, tsunami, or other weather event, power loss, telecommunications failure, software or commodity appliance malfunction, cyberattack, war, or terrorist attack, explosion, or pandemic could impact our business. In particular, our corporate headquarters are located in the San Francisco Bay Area, a region known for seismic activity, and are thus vulnerable to damage in an earthquake. Our insurance coverage may not compensate us for losses that may occur in the event of an earthquake or other significant natural disaster. Additionally, we rely on third-party cloud providers and enterprise applications, technology systems, and our website for our development, marketing, operational support, hosted services, and sales activities. In the event of a catastrophic event, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our product development, lengthy interruptions in our data security solutions, and breaches of data security, all of which could have an adverse effect on our results of operations. If we are unable to develop adequate plans to ensure that our business functions continue to operate during and after a disaster and to execute successfully on those plans in the event of a disaster or emergency, our business would be harmed.
Item 2. Unregistered Sales of Equity Securities and Use of Proceeds
(a) Recent Sales of Unregistered Securities.
None.
(b) Use of Proceeds.
On April 29, 2024, we completed our IPO, in which we issued and sold 23,500,000 shares of our Class A common stock, at a public offering price of $32.00 per share. We received net proceeds of approximately $710.3 million, after deducting underwriting discounts and commissions of $41.7 million. In May 2024, our underwriters exercised their option to purchase an additional 3,472,252 shares of our Class A common stock at the IPO Price of $32.00 per share. We received net proceeds of approximately $104.9 million, net of underwriters’ discounts and commissions. All shares sold were registered pursuant to a registration statement on Form S-1 (File No. 333-278434), as amended (the “Registration Statement”), declared effective by the SEC on April 24, 2024. Goldman Sachs & Co. LLC acted as the representative of the underwriters for the offering. The offering terminated after the sale of all securities registered pursuant to the Registration Statement. No payments for such expenses were made directly or indirectly to (i) any of our officers or directors or their associates, (ii) any persons owning 10% or more of any class of our equity securities, or (iii) any of our affiliates.
There has been no material change in the planned use of proceeds from our IPO as described in our Final Prospectus for the IPO dated as of April 24, 2024 and filed with the SEC pursuant to Rule 424(b)(4) on April 26, 2024.
During the quarter ended October 31, 2024, our directors and officers (as defined in Rule 16a-1(f) under the Exchange Act) adopted or terminated the Rule 10b5-1 trading arrangements (as defined in Item 408(a) of Regulation S-K) described below:
On September 21, 2024, Arvind Nithrakashyap, our Chief Technology Officer, adopted a trading arrangement intended to satisfy the affirmative defense conditions of Rule 10b5-1(c). Mr. Nithrakashyap’s trading arrangement provides for the sale through December 10, 2025 of up to 584,726 shares of our Class A common stock. This represents the maximum number of shares that may be sold pursuant to the 10b5-1 arrangement. The actual number of shares sold will be dependent on the satisfaction of certain conditions set forth in the written plan.
On October 15, 2024, a trust affiliated with John W. Thompson, one of our directors, adopted a trading arrangement intended to satisfy the affirmative defense conditions of Rule 10b5-1(c). This trading arrangement provides for the sale through December 31, 2025 of up to 108,108 shares of our Class A common stock. This represents the maximum number of shares that may be sold pursuant to the 10b5-1 arrangement. The actual number of shares sold will be dependent on the satisfaction of certain conditions set forth in the written plan.
The following financial information from Rubrik Inc.'s Quarterly Report on Form 10-Q for the quarter ended October 31, 2024 formatted in Inline XBRL (Extensible Business Reporting Language) includes: (i) the Condensed Consolidated Balance Sheets, (ii) the Condensed Consolidated Statements of Operations, (iii) the Condensed Consolidated Statements of Comprehensive Loss, (iv) the Condensed Consolidated Statements of Redeemable Convertible Preferred Stock and Stockholders' Deficit, (v) the Condensed Consolidated Statements of Cash Flows, and (vi) Notes to the Condensed Consolidated Financial Statements.
X
104
Cover Page Interactive Data File (formatted as inline XBRL and contained in Exhibits 101).
X
* The certifications furnished in Exhibits 32.1 and 32.2 hereto are deemed to accompany this Quarterly Report on Form 10-Q and are not deemed “filed” for purposes of Section 18 of the Exchange Act, or otherwise subject to the liability of that section, nor shall they be deemed incorporated by reference into any filing under the Securities Act or the Exchange Act, irrespective of any general incorporation language contained in such filing.
Pursuant to the requirements of the Securities Exchange Act of 1934, as amended, the registrant has duly caused this report to be signed on its behalf by the undersigned, thereunto duly authorized.